SODINOKIBI RANSOMWARE (REvil)
Sodinokibi ransomware, which is also known as REvil, made its first appearance in 2019 as it was being distributed via the exploited CVE-2019-2725 vulnerability in Oracle WebLogic server. The threat actors were able to gain access to WebLogic servers with HTTP access.
Sodinokibi ransomware is currently the most widespread active ransomware and have been recorded to target organisation of all sizes from many countries.
There is no decryptor for any of the active variants of the Sodinokibi ransomware and the average ransom required is $300,000 in Bitcoin which can be paid via provided website address in the ransomware note.
Before Sodinokibi encrypts any files, it uses vssadmin.exe to remove any shadow copies contained on the victim’s machines and disables Windows recovery using bcdedit.exe. Then Sodinokibi searches for all directories named “backup” and it overwrites the content with random bytes before wiping all the files inside the backup directories, so file recovery is near impossible to do.
Finally, Sodinokibi encrypts all the files with Salsa20 keys and 256-bit AES keys. AES is used to encrypt session keys and data that is sent to the C&C server, and files are encrypted using Salsa20 encryption.
Command and Control
After all the files are encrypted, Sodinokibi send data which including system information, and encryption keys to a list of randomly generated URLs that are connect to the C&C server.