OVERVIEW
Sodinokibi (aka Sodin, REvil) is a prolific ransomware which came to widespread attention in April 2019. Sodinokibi is a ransomware that is distributed as a Ransomware-as-a-Service. There is significant speculation that the operators of Sodinokibi are the same as those behind GandCrab.
The actors behind Sodinokibi have previously used the threat of information disclosure to attempt to coerce payment. Information is disclosed on their TOR site, the Happy Blog.
TARGETING
As Sodin ransomware is commercially available as Ransomware-as-a-Service (RaaS) targeting will depend upon the actors using it.
DELIVERY
Sodinokibi has been observed being delivered using the following methods:
- Malicious Spam (malspam) – this is extremely widely distributed spam with malicious links or attachments. These messages often feature un-targeted, highly generalized lure content. Malspam is often generated by various botnets or other malware infections as a means of further propagating itself.
- Raw Exploits – this method of delivery includes the exploitation of specific vulnerabilities, but not included in an overall exploit kit, in order to deliver the malware onto a system. Sodin ransomware has been known to attempt to exploit CVE-2019-2725.
- Exploit Kit – this method of delivery involves the use of an exploit kit, a tool designed to be remotely hosted (often on compromised ad servers) that then serve up malicious code to all users that navigate to the site and which attempts to exploit specific applications on a system. Sodin ransomware has been observed using the RIG Exploit Kit (RIG EK, RIGEK).
SODINOKIBI INSTALLATION
The Sodin ransomware, before completing its actions on objectives uses GetKetboardLayoutList to determine the current language of the keyboard. The ransomware will not execute if the value is between \x18 and \x44 (inclusive).
Therefore if Sodinokibi detects any of these keyboard layouts, it will cease operation.
The ransomware contains a configuration file that it encrypted within the main binary. Once it decrypts the binary, Sodin ransomware has been observed attempting to exploit CVE-2018-8453.
SODINOKIBI PERSISTENCE
The ransomware achieves persistence through a key in
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SODINOKIBI COMMUNICATION
Sodinokibi does not require immediate access to a command and control (C2) node in order to proceed. This allows the malware to operate with no Internet connectivity, which is rare for ransomware.
