Introduction

Sodinokibi ransomware, which is also known as REvil, made its first appearance in 2019 as it was being distributed via the exploited CVE-2019-2725 vulnerability in Oracle WebLogic server. The threat actors were able to gain access to WebLogic servers with HTTP access.
Sodinokibi ransomware is currently the most widespread active ransomware and have been recorded to target organisation of all sizes from many countries.
There is no decryptor for any of the active variants of the Sodinokibi ransomware and the average ransom required is $300,000 in Bitcoin which can be paid via provided website address in the ransomware note.

Modus Operandi

Initial access

The infection vectors used by threat actors includes spam emails, exploit kits and other affiliated malware campaigns. Apart from the CVE-2019-2725, GrandSoft and RIG are the two most used exploit kits for distributing Sodinokibi. The spam campaigns are aimed at tricking the targets into opening the obfuscated JavaScript file contained inside the attached ZIP file.

Installation

As soon as the victim executes the JavaScript file, it attempts to perform UAC bypass by loading a PowerShell script from obfuscated JavaScript and then injects Sodinokibi’s loader into an existing process. Sodinokibi checks the permission of the process via the CheckTokenMembership function, if the process does not have the right permissions, then Sodinokibi writes itself to a registry key and starts a new instance of explorer.exe via CompMgmtLauncher.exe. The same PowerShell script is run again until the infected process has high enough privileges for the Sodinokibi payload to be installed, stored, and executed. During the execution of the payload, Sodinokibi checks the victim’s primary keyboard ID and compares to its config file to determine if it will continue its attack as the threat actors don’t want to target machines from particular countries specified in the config file.