eSolutions warning: Sodinokibi ransomware keeps evolving and is considered a next big threat on the cryptovirus scene

Sodinokibi ransomware uses former Windows zero-day vulnerability and increases ransom demands to $2000-$5000

Attackers are actively spreading around the world and using various methods like system vulnerabilities and exploit kits they install the newest versions of Sodinokibi ransomware. Discovered back in May, this threat started to spread with more dangerous campaigns this July with its versions REvil and Sodin also considered as alternate names for the same virus developed by former GandCrab virus developers.

Various theories about relations to other hacker groups and distribution methods surfaced media outlets, and researchers have analyzed recent campaigns of this threat to report that the newest Sodinokibi attacks exploited known vulnerabilities like CVE-2018-8453. This ransomware-as-a-service has been distributed online as open-source and even included in affiliate programs.

The most recent Sodinokibi attacks

Virus, already known as REvil or Sodin, focuses on file-locking and encryption with ransom demands that recently were almost doubled than the common amount. This cryptovirus makes up to $5000 from each individual victim by locking their data. Unfortunately, paying doesn’t assure the file recovery, so victims end up losing their files and money at the same time.

The newest campaigns in May 2019 included targets like Germany and more countries in Europe and used CVE-2019-2725 vulnerability to install the payload on the targeted machine. However, attacks at the beginning of July were even more concerning because more than one system flaw got used to target countries in the Asia-Pacific region, Latin America and North America. Users in countries like Taiwan, Hong Kong, and Korea were the most affected.

The increased amount of ransom and a rise in the number of attacks expected

Sodinokibi ransomware operations are not that common only for the payload dropping method that includes exploiting the vulnerable server. Typically, such infections like ransomware need to be triggered by the victim when the executable is launched via a malicious link or infected file attachment from legitimate-looking emails. In this case, the virus downloads an executable file directly on the server or system and launched needed processes without the involvement of the initial victim.

The ransom amount for this threat only starts at $2500 and can go up to $5000 or even tens of thousands. This is how cyber crooks make a profit from each victim, especially when the person is eager to get encrypted data back to normal. Unfortunately, this threat uses more sophisticated methods to fall under the radar of cybersecurity researchers and manages to affect many victims around the globe.

Unfortunately, even though Windows vulnerabilities exploited by the virus got patched by Microsoft, threat actors can find new ways to install malware and use exploit kits that are distributed on dark web forums and other online sources. Experts still expect a rise in the number of attacks involving this Sodinokibi malware, o keep your devices up-to-date and Widnows OS patched to avoid falling victim to Sodin or REvil.

Posted in, support.