Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

'Sodinokibi' Ransomware attacks on companies and individuals world-wide

 

Systems Affected



Threat Level


High


Overview


'Sodinokibi', also known as 'REvil' is a name for a family of Advanced Ransomware. It encrypts (makes files and folders unreadable) important files in various formats and demands a ransom to decrypt (make files and folders readable) them.


Description


'Sodinokibi' ransomware first appeared in April 2019. The sole purpose of the ransomware is to encrypt the files with a random extension and then demand a ransom to recover the files.

At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle WebLogic server (CVE-2019-2725). Later, Cyber-criminal Groups have further propagated this ransomware through infected email attachments (macros), torrent websites, phishing or by spreading infected links through online advertisements etc. It was first reported in Asia but it is now a worldwide threat.


Map of infections - Reference: www.mcafee.com

Attackers send a ransom note through a text (.txt) file and/or by a message that will appear on the victim's computer screen. To decrypt data, attackers ask users to visit their website using one of the two links provided; one of which has to be opened using the Tor browser and the other with commonly used browsers. Victims have to provide the key and extension name included in the ransom message. The victim is then informed of the payment details and instructions to be followed.

'Sodinokibi' has attacked a wide array of companies including Telecommunication service providers, Law Firms and IT Services causing service disruptions and information losses. Further, it has targeted celebrities and prominent individuals threatening to release their sensitive information online.


Ransom Note -Reference: https://www.pcrisk.com/


Impact


  ✻  Loss of important files and documents of your company's data
  ✻  Expose confidential information to unauthorized parties
  ✻  May result in complete or partial shutdown of your company's operations
  ✻  Damage to your company's reputation
  ✻  Financial loss


Solution/ Workarounds


  ✻  Do not download files from suspicious sources or click on suspicious links.
  ✻  Do not download decryption tools from suspicious sources.
  ✻  Regularly make multiple backups of data, and keep them offline and/or store off-site.
  ✻  Increase the security of backup with additional ransomware protection software.
  ✻  Update and install latest security patches on installed third party software.
  ✻  Keep your virus guard and operating system up to date and monitor for latest malware infections and patterns.
  ✻  Isolate the infected computers from the network.
  ✻  Payment of ransom is not recommended since there is no guarantee that you will get your data back.


References


  ✻  https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscapedashboard/ransomware-details.sodinokibi-ransomware.html
  ✻  https://blog.malwarebytes.com/detections/ransom-sodinokibi/
  ✻  https://www.pcrisk.com/removal-guides/sodinokibi-ransomware


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.