Sodinokibi ransomware has been wreaking havoc across the globe, hitting high-profile targets like CTAG, one of Europe’s leading automotive research centers, and a housing association in the U.K. Sodinokibi ransomware is currently ranked as one of the most widely distributed ransomware strains worldwide making it a nightmare for the corporate sector.
By Jeff Stout, Chief of Operations, BeforeCrypt GmbH
So, what makes Sodinokibi so dangerous, and how can you protect yourself and your organization?
The Sodinokibi Threat
Sodinokibi is one of the most common variants of ransomware used by the REvil ransomware gang. It’s especially dangerous because the gang is highly skilled at exfiltrating data which it uses to “double-extort” victims. Ordinary ransomware attacks only encrypt data, locking users out of their own system, and forcing them to pay to regain access to their files.
Data exfiltration attacks collect sensitive data and then demand more money from victims to keep the data private. For some companies, particularly in the finance, legal and health sectors, leaking client data can cause a devastating blow to their reputation. When hackers obtain data, they threaten to publish it on the dark web. In this way, they can demand much larger ransoms.
For this reason, REvil intentionally targets businesses and organizations that are responsible for safeguarding important client data. A ransomware attack with data exfiltration can be more complicated to deal with than a normal encryption attack because of the legal implications of data breaches.
In recent months, Sodinokibi has become even more dangerous as it made the jump from Windows to Linux. Since most servers run on Linux, this means the virus is now even more capable of targeting large corporate or governmental networks.
REvil’s Modus Operandi
REvil is one of the most prolific ransomware gangs in the world. Part of the secret to their success is the use of affiliates to shield themselves. They develop sophisticated ransomware software and then license it out to other criminals in exchange for a percentage of the profits. This approach is termed “ransomware-as-a-service” (RaaS). Some of these affiliates have been arrested, but it doesn’t appear to have any effect on the core gang, which simply recruits new affiliates.
Many experts believe that Sodinokibi was designed by the same hackers who developed GandCrab, Sodinokibi’s predecessor, which collected over $2 billion in ransoms before its retirement.
Since the developers of the software don’t conduct the attacks themselves, they are able to specialize and develop more advanced viruses that are more difficult to detect and can circumvent antivirus software. Sodinokibi is one of the most effective ransomware in terms of data exfiltration; it’s estimated that over 50% of Sodinokibi attacks lead to data exfiltration.
How Sodinokibi attacks happen, and how to protect against them?
The majority of Sodinokibi attacks are highly targeted in nature. Jeff Stout, a ransomware expert at BeforeCrypt, a firm specializing in ransomware recovery and decryption, says that in most cases, Sodinkobi infiltration occurs via phishing.
“Our case data shows that less than 20% of Sodinokibi cases involve random brute force attacks against vectors such as RDP, with the vast majority of attacks being highly targeted and perpetuated as part of sophisticated spear-phishing attacks employing exploits with various characteristics.”
Spear phishing attacks are becoming more sophisticated all the time, and hackers are increasingly known to effectively impersonate trusted businesses, partners, or even family and friends in order to trick victims into clicking malicious links.
The risk of these attacks can also be reduced substantially by adopting strict guidelines to ensure that employees don’t do any personal communications on work computers or networks. Social media giant Twitter was recently hit by a spear-phishing attack that infiltrated the network by targeting employees’ phones. Similar attacks have hit dozens of other companies since.
Training employees to carefully verify all links and downloads before clicking on them is a good start, but a highly effective ransomware prevention strategy may even require some level of structural reorganization. For example, many targeted attacks will attempt to trick dozens of employees before one falls for it, so by adding tiers of access levels to networks and limiting the number of employees with the access necessary to mount an attack, it’s possible to lower the chances of a successful attack.
Of course, there are still a small number of Sodinokibi attacks that utilize conventional exploits. This risk can be minimized by normal countermeasures, like strong antivirus software, regularly updating all software, and keeping up to date with exploit databases.
What to do if you get hit?
There is no easy way out of a Sodinokibi attack. Like most ransomware, Sodinokibi uses military-grade encryption, so there are no free Sodinokibi decryption tools. It’s a bitter pill to swallow, but the reason many organizations pay ransoms is nothing more than an economic decision; if the cost of the ransom is less than the cost of the data loss that would result from not paying it, it just makes sense to pay it. However, paying ransoms empower the hackers who deploy them, so if a company can handle a loss it’s a more responsible decision to take their losses and start from scratch.
Paying a ransom is not as simple as it might sound, however. Ransomware gangs using Sodinokibi will often demand a first ransom to decrypt the data and restore access to a network and then ask for a second ransom to keep the data private. In some cases, attackers will demand a third ransom even after the second one. For this reason, experts track the behavior of individual gangs in order to know what to expect and how to best deal with them.
Contracting a ransomware incident response team can be worthwhile, as specialists have a good idea of what to expect from different gangs. This makes it easier to calculate the real cost of the attack and make a more informed decision about whether or not paying the ransom is the most economical decision.
When will it end?
Unfortunately, it appears that dealing with ransomware, as well as the data exfiltration threat, may become the new normal. Both GandCrab and Sodinokibi were designed with code embedded which prevents them from infecting computers in Russia, Iran, and former Soviet countries. This indicates that the hackers may be operating with the approval of a government in that region.
Since the criminals behind it may have some level of state protection, it is very difficult to bring them to justice. This means organizations of all shapes and sizes must devote more time and resources to their cybersecurity training, especially when it comes to employee training and awareness. This means increased cybersecurity budgets are needed, but the longer the ransomware epidemic continues, the clearer it becomes that these costs are insignificant compared to the costs of falling victim to ransomware extortion.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.