SODINOKIBI RANSOMWARE (REvil)

Introduction

Sodinokibi ransomware, which is also known as REvil, made its first appearance in 2019 as it was being distributed via the exploited CVE-2019-2725 vulnerability in Oracle WebLogic server. The threat actors were able to gain access to WebLogic servers with HTTP access.
Sodinokibi ransomware is currently the most widespread active ransomware and have been recorded to target organisation of all sizes from many countries.
There is no decryptor for any of the active variants of the Sodinokibi ransomware and the average ransom required is $300,000 in Bitcoin which can be paid via provided website address in the ransomware note.

Modus Operandi

Initial access

The infection vectors used by threat actors includes spam emails, exploit kits and other affiliated malware campaigns. Apart from the CVE-2019-2725, GrandSoft and RIG are the two most used exploit kits for distributing Sodinokibi. The spam campaigns are aimed at tricking the targets into opening the obfuscated JavaScript file contained inside the attached ZIP file.

Installation

As soon as the victim executes the JavaScript file, it attempts to perform UAC bypass by loading a PowerShell script from obfuscated JavaScript and then injects Sodinokibi’s loader into an existing process. Sodinokibi checks the permission of the process via the CheckTokenMembership function, if the process does not have the right permissions, then Sodinokibi writes itself to a registry key and starts a new instance of explorer.exe via CompMgmtLauncher.exe. The same PowerShell script is run again until the infected process has high enough privileges for the Sodinokibi payload to be installed, stored, and executed. During the execution of the payload, Sodinokibi checks the victim’s primary keyboard ID and compares to its config file to determine if it will continue its attack as the threat actors don’t want to target machines from particular countries specified in the config file.

Encryption

Before Sodinokibi encrypts any files, it uses vssadmin.exe to remove any shadow copies contained on the victim’s machines and disables Windows recovery using bcdedit.exe. Then Sodinokibi searches for all directories named “backup” and it overwrites the content with random bytes before wiping all the files inside the backup directories, so file recovery is near impossible to do.
Finally, Sodinokibi encrypts all the files with Salsa20 keys and 256-bit AES keys. AES is used to encrypt session keys and data that is sent to the C&C server, and files are encrypted using Salsa20 encryption.

Command and Control

After all the files are encrypted, Sodinokibi send data which including system information, and encryption keys to a list of randomly generated URLs that are connect to the C&C server.