Sodinokibi: Researchers from McAfee have been able to examine the Sodinokibi (also known as REvil) ransomware-as-a-service campaign, tracking three different affiliate user groups for the ransomware. The groups are being tracked as Group 1, affiliate #34, and affiliate #19. All three of the groups initially compromised their targets by using RDP (Remote Desktop Protocol) and then moved from that foothold to compromise the rest of the targeted network. All of the groups used port scanning techniques to move laterally through the network to find accessible RDP servers, then used tools like NLBrute RDP brute-forcing tool with custom password lists to gain access to servers. Affiliate #34 and #19 show a more sophisticated style of attacks using customized Mimikatz batch files to harvest network credentials, custom scripts to erase Windows event logs and the creation of hidden users. Affiliate #19 also tried to use local exploits throughout their attack to gain administrative access on compromised computers. If the group had been successful in doing this, it would have been easier for them to push malware to other machines on the network. Affiliate #34 was also seen infecting compromised systems with crypto miners, attempting to utilize their persistence for financial gain other than just pushing ransomware. One of the email addresses used with the MinerGate crypto-miner by Affiliate #34 was able to be tracked by the researchers, linking it back to an already known Persian-speaking RDP threat actor. McAfee was able to track these different groups because the ransomware-as-a-service program that they use to deploy Sodinokibi keeps track of all the different threat actors (called “affiliates”) using the ransomware by assigning every affiliate an ID number. This number is then used in the ransomware code, most likely to keep track of who makes money if the ransom is paid. This allowed researchers to start pulling down samples of Sodinokibi that they saw through honeypots and analyze them, thus giving them a system to track the different groups using this ransomware. The ransomware also includes a feature to search through the files on a compromised machine, looking for files that have any of the keywords that the threat actor preloads into the search engine. The keywords used by different threat actors vary but usually include words such as banking, confidential, and military. This allows the attackers to find files that may be of use to them and exfiltrate them before they are encrypted, giving threat actors the ability to steal trade secrets from companies and sell them. The symbiotic relationship between the Sodinokibi ransomware operators and criminals offering “access-as-a-service” is another interesting aspect of this ransomware. In a report from researchers at Advanced Intelligence (AdvIntel) last week, it was revealed that a Russian-speaking threat actor or group known as “-TMT-“has been working with the Sodinokibi ransomware service since at least August of 2019, providing access through compromised Remote Desktop (RDP) to deploy ransomware.
While ransomware-as-a-service is not a new concept, the Sodinokibi (REvil) service has shown signs of innovation that have the potential to make it long-lived and highly destructive, unless law enforcement actions can disrupt the criminal group behind it. Companies can make a positive difference by working with law enforcement, where appropriate, to share evidence of criminal activity. Ransomware is something that will always cause serious problems for corporations and government entities as long as it remains profitable for criminal actors. Keeping backups of all files at an off-site location could help in the majority of instances. Having good event monitoring in place, such as Binary Defense Managed Detection and Response also helps companies by detecting and alerting in the early stages of an attack and stopping the attack from spreading to other computers on the network.