Examining A Sodinokibi Attack
Sodinokibi was behind several notable attacks last year. In this entry, we describe its attack process using some of the examples we encountered.
Save to Folio
Sodinokibi?was first detected in April 2019 and linked to the retired?GandCrab.?From that point on,?Sodinokibi?launched?several high-profile attacks?that continued throughout 2020,?thus?making?a name for itself as one of the?ransomware families?that?should?be watched out for.?Here we describe?Sodinokibi’s?typical attack process.
Technical analysis?
The threat actors behind?Sodinokibi?typically hire?a?variety of affiliates for their initial access.?Their attacks often begin with familiar?techniques like?malspam?emails with?spear-phishing?links or attachments, RDP access?that uses?valid accounts, compromised websites, and exploits.?They also use techniques that indicate their targeted approach.
Initial access?
We observed the use of several of these initial access techniques.?For example,?as with campaigns, we saw the use of the??vulnerability?and?observed an instance where?Sodinokibi?was?loaded in?the?memory of?PowerShell?through reflective-load instead of?binary execution. We also saw?malspam?that led?to?the use of?a?macro to download and execute?the malware.??
?and??are also used?by the malware, as well as compromised valid accounts. This?allows the threat actors?to drop?and?execute?other components like the?anti-antivirus, exfiltration tools,?and finally?Sodinokibi?itself.?
Lateral?movement and?evasion?tactics?
Sodinokibi,?like many ransomware families known today,?have a targeted approach with regard?to their campaigns.?In line with this,?we observed the use of?RDP and?PsExec?for lateral movement?—?a?sign of targeted attacks?—?to drop?and?execute?other components and the ransomware itself.??
We also observed?that?PC?Hunter?and?Process?Hacker?are?used?to terminate services or processes,?especially?those services and processes that are?related?to?antivirus software.?
Once the system is infected,?Sodinokibi?sends?a report and system information?to its?command-and-control (C&C)?server. It?generates?a pseudorandom URL based on a fixed format and generation to add to a list?of?domains?in?its configuration.??
Security recommendations?
Sodinokibi?has been known to target high-profile entities?and uses notable evasive?tactics. Organizations?should,?therefore,?be wary of its techniques. For now, here are some best practices to prevent similar ransomware attacks:
- Avoid opening unverified emails or clicking on their embedded links, as these can start the ransomware installation process.?
- Back up your important files using the 3-2-1 rule: Create three backup copies on two different file formats, with one of the backups in a separate location.?
- Regularly update software, programs, and applications, to ensure that your apps are current, with the latest protections from new vulnerabilities.
If you believe that your organization?has been?affected by this campaign, visit??for the available live casino online solutions that can help detect and mitigate any risks from this campaign.?
Indicators of Compromise (IOCs)
SHA256 |
Detection name |
04ae146176632509ab5239d0ec8f2447d7223090 |
|
10682d08a18715a79ee23b58fdb6ee44c4e28c61 |
|
169abe89f4eab84275c88890460a655d647e5966 |
|
20d90f04dcc07e1faa09aa1550f343c9472f7ec6 |
|
2a75db73888c77e48b77b72d3efb33ab53ccb754 |
|
58d835c3d204d012ee5a4e3c05a06e60b4 316d0e |
|
Ce0c8814d7630f8636ffd73f8408a36dc0e1ca4d |