Businesses are familiar with the Software-as-a-Service concept (SaaS). In this cloud service model, subscribers access the software they want without hosting it on their servers. The package usually also includes storage space for operational data.

SaaS is an ideal model for hacker teams that want to collaborate with other groups without sharing their code. Instead of sending their programs over o the other team, the creating hackers set up a portal. This hosts the virus package and runs it on demand once the user enters parameters for the attack, such as a file with a list of emails to mail out to.

The RaaS model isn’t quite the same as SaaS because it isn’t open to all. The owning hacker group looks for partners among groups who want to do the legwork and research targets. The developers then gave other teams access to their RaaS for one specific and agreed to the attack campaign. When the attack occurs, the two groups share the payment that is received.

RaaS attacks

Many ransomware attack campaigns involve sending hundreds of thousands of emails with an installer disguised in a document as an attachment. Hackers running these schemes are playing a numbers game. They figure that a certain percentage of recipients will believe the scam in the email message. A percentage of that number will open the attachment and activate the installer. Of those victims that get infected, a portion will decide to pay the ransom.

Mass mailshot ransomware attacks are usually aimed at the general public and ask for a relatively low ransom – sometimes as low as $10. Ransomware campaigns aimed at large corporations need to be a lot more sophisticated. They take a lot of time to set up and involve doxing an individual who works in the business. Hackers working on these campaigns can take months to investigate the organization and the people who work there. They map the organizational hierarchy, looking for a target that will have elevated access privileges.

Targeted ransomware campaigns take a lot of time and require specialist skills. However, they also reap very high rewards per sting that far exceed the amount of money that can be made from scamming many people for a small amount of money per hit.

The Sodinokibi ransomware is used for targeted, high-value attacks. It includes sophisticated software supplied by experienced programmers in one team with several specialized social profiling con artist groups. Each team focuses on its core skill.

Where does Sodionokibi ransomware come from?

Sodinokibi is also known as Ransom Evil and REvil. The hacker team behind it is identified with the same name. Cybersecurity analysts invent these names. The team itself does no identify itself in its attacks.

The REvil group is one of the lesser-known hacker teams. One thing that is known about it is that the group is based in Russia. Cybersecurity analysts suspect that the REvil group is a relaunch of the GandCrab hacker team. This is because REvil emerged in April 2019, just before GandCrab announced its dissolution. The GandCrab hacker team is judged to be responsible for about 40 percent of all ransomware infections in the world to date. They were the leading experts in the field, and the exceptional skills of the Sodinokibi group is another indication that they were once members of GandCrab.

The Russian military intelligence, the GRU, works with several hacker teams to produce weapons for its hybrid warfare strategy. NotPetya, developed by Sandworm, and BadRabbit, from the BlackEnergy group, are two examples of this formula, which both produced ransom attack campaigns to undermine the security of Ukraine.

Sodinokibi ransomware is not part of this hybrid warfare syndicate. It is the product of an independent hacker group that is motivated by profit. However, the software displays some typical traits of Russian malware, which is how analysts were able to settle on a likely source location for the ransomware.

The encryption program embedded in the software package won’t operate on targets if it detects that the system language is set to Russian or one of the languages of former Soviet Union states. This exception is very typical of Russian-produced malware. This is probably less out of patriotism and more due to pragmatism. The Russian authorities rarely prosecute hackers as long as they don’t launch attacks within Russia or one of its allies.

How does a Sodinokibi attack work?

The code for the Sodinokibi ransomware is very well written, and its structure makes it difficult to detect. Unlike most ransomware, the entire program is self-contained – it doesn’t call APIs on distant servers. This removes its susceptibility to many of the trait-seeking AVs. The system requires Admin privileges to run, which is why attackers need to target its delivery into a specific user account within a business.

The target user is enticed by a range of phishing emails, each containing a link purporting to be for a necessary download. Attacks are usually well researched, and each email is written individually, so the topic of its content could be on any subject. The initial download is written in JavaScript, and when the user double-clicks on it, the program executes with WScript.

As JavaScript runs from the code rather than a compiled version, Sodinokibi code is scrambled and decoded in stages as the program runs. There are also several PowerShell routines in the code, which are also scrambled. The system includes processes to duck User Access Control checks (UAC).

The ransomware exploits an Oracle WebLogic Server vulnerability to get onto a computer. Once it is operating on one device on the network, it can move laterally through the transport services of WebLogic Server to other endpoints without the need for credentials specific to those devices. The use of WebLogic Server to manage websites also makes those systems vulnerable to ransomware. The encryption process also seeks out backup servers and encrypts those as well.

Data files are encrypted with the Salsa20 cipher, and communications with the ransomware control server are protected by AES encryption. The ransomware also extracts data from files and transfers it to the Sodinokibi servers. Part of the threat issued by the hackers is that they will publish discovered data on their website, which is called Happy Blog, if the ransom is not paid.

The Sodinokibi ransom

Cybersecurity analysts report that the Sodinokibi ransomware demands a payment of 0.32806964 Bitcoin, which is about $11,800. However, individual ransom demands made with attacks on high-profile legal and entertainment businesses have been much higher. The group claimed that they expected to earn $100 million in 2020.

If the group doesn’t do a deal to get the ransom out of a target, it will attempt to sell the stolen data to others, leaving the victim with locked files that cannot be accessed. This occurred in May 2020, when the group claimed to have attacked President Donald Trump. They demanded $42 million but didn’t get it, so they sold the reaped data to someone else for an undisclosed sum.

Lady Gaga refused to pay a ransom in May 2020 for documents relating to her that were encrypted in the computers of her legal advisers. The group released those documents to the public. A threat to release documents about Madonna in the same month was called off. Possibly, the singer paid the ransom at the last minute.

In 2021, the Sodinokibi group launched a series of attacks on large organizations, including one on the computer manufacturer, Acer. The group demanded $50 million rising to $100 million after the initial deadline was missed. The group also attacked Quanta Computer, a supplier of Apple, and demanded $50 million. In May 2021, Brazilian meat processing enterprise JBS S.A. paid a ransom of $11 million.

Remember, the Sodinokibi group doesn’t attack anyone directly. Other cybercriminals do the dirty work, and Sodinokibi gets a cut for supplying the ransomware.

Defending against Sodinokibi ransomware

The Sodinokibi ransomware is still in operation. His is a RaaS system that can be used as a tool by other hackers. Here are many hackers around the world that have social profiling skills but no programming capabilities. The Sodinokibi ransomware is very well written and can avoid detection by traditional antivirus systems.

Sodinokibi ransomware downloads onto Windows and needs Administrator privileges. It is only a threat to businesses running Oracle WebLogic Server. Suppose you allow Administrator access to all users on their endpoints. In that case, you make your entire system vulnerable because the Sodinokibi ransomware only needs heightened privileges on the first computer it infects. From there, it can get into other devices without having high access rights to those endpoints.

The first defense you should implement is to educate users against following links in emails or downloading attachments. You should also look at ways to restrict Administrator privileges to all users, so only IT support technicians have that access level.

If you don’t run Oracle WebLogic Server, you don’t need to worry about Sodinokibi ransomware. However, this is not the only ransomware in circulation, so you will need to install intelligent security systems to protect against them.

The best tools to defend against Sodinokibi ransomware

In almost every case, ransomware gets onto your system through user actions. Users get tricked into downloading or installing this malware category. So, the tools you need to protect against this type of malware are endpoint detection and response systems.

The data about clients and individuals is always a target for hackers. You need specialized software to protect this information from tampering or theft.

Here are two excellent security packages that you should consider.

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response package that includes modules installed on each endpoint plus a cloud-based monitoring system. The two halves of the system interact with the device agents uploading activity data and the controller sending back threat intelligence and response commands.

The endpoint agent is a substantial security package. It can continue to protect an endpoint even if it is cut off from the network and the Internet. This endpoint protection system is also available as a standalone package, called CrowdStrike Falcon Prevent.

The coordinated monitoring system of Insight is helpful for protection against Sodinokibi and other ransomware that can spread. As soon as one device agent spots suspicious activities, the agents on all other devices are put on high alert. The system can implement threat mitigation, including automated responses that can suspend a user account and isolate a device from the network to stop the ransomware from spreading.

The cloud-based Insight controller is also fed threat intelligence from CrowdStrike, passed on in algorithm updates to the endpoint agents. The security system doesn’t rely on a list of malware files to look out for; instead, it searches all activity for suspicious behavior. It is ideal for spotting zero-day attacks.

You can get a 15-day free trial of Falcon Prevent.

Pros:

  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Powered by a backend intelligence platform – ideal for identifying new threats

Cons:

  • Would benefit from a longer trial period

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is designed to protect data and files. This is an on-premises software package that installs on Windows Server, and it monitors devices that run Windows – connecting across the network. This security system is suitable for businesses complying with PCI DSS, HIPAA, and GDPR.

DataSecurity Plus performs a data discovery routine that finds and then categorizes all sensitive data held by the business. It also has a file integrity monitor. This immediately spots any unauthorized changes to files and raises alerts. You would discover the activity of the Sodinokibi the second it tried to encrypt the first file. The malware also wouldn’t get a chance to spread before being noticed.

DataSecurity Plus is available for a 30-day free trial.

  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change – great for preventing ransomware

  • The platform can track access trends over time, allowing for better malicious behavior detection

  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA

  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems

  • Requires a sizable time investment to fully explore all the platforms features and tools