Sodinokibi: Researchers from McAfee have been able to examine the Sodinokibi (also known as REvil) ransomware-as-a-service campaign, tracking three different affiliate user groups for the ransomware. The groups are being tracked as Group 1, affiliate #34, and affiliate #19. All three of the groups initially compromised their targets by using RDP (Remote Desktop Protocol) and then moved from that foothold to compromise the rest of the targeted network. All of the groups used port scanning techniques to move laterally through the network to find accessible RDP servers, then used tools like NLBrute RDP brute-forcing tool with custom password lists to gain access to servers. Affiliate #34 and #19 show a more sophisticated style of attacks using customized Mimikatz batch files to harvest network credentials, custom scripts to erase Windows event logs and the creation of hidden users. Affiliate #19 also tried to use local exploits throughout their attack to gain administrative access on compromised computers. If the group had been successful in doing this, it would have been easier for them to push malware to other machines on the network. Affiliate #34 was also seen infecting compromised systems with crypto miners, attempting to utilize their persistence for financial gain other than just pushing ransomware. One of the email addresses used with the MinerGate crypto-miner by Affiliate #34 was able to be tracked by the researchers, linking it back to an already known Persian-speaking RDP threat actor. McAfee was able to track these different groups because the ransomware-as-a-service program that they use to deploy Sodinokibi keeps track of all the different threat actors (called “affiliates”) using the ransomware by assigning every affiliate an ID number. This number is then used in the ransomware code, most likely to keep track of who makes money if the ransom is paid. This allowed researchers to start pulling down samples of Sodinokibi that they saw through honeypots and analyze them, thus giving them a system to track the different groups using this ransomware. The ransomware also includes a feature to search through the files on a compromised machine, looking for files that have any of the keywords that the threat actor preloads into the search engine. The keywords used by different threat actors vary but usually include words such as banking, confidential, and military. This allows the attackers to find files that may be of use to them and exfiltrate them before they are encrypted, giving threat actors the ability to steal trade secrets from companies and sell them. The symbiotic relationship between the Sodinokibi ransomware operators and criminals offering “access-as-a-service” is another interesting aspect of this ransomware. In a report from researchers at Advanced Intelligence (AdvIntel) last week, it was revealed that a Russian-speaking threat actor or group known as “-TMT-“has been working with the Sodinokibi ransomware service since at least August of 2019, providing access through compromised Remote Desktop (RDP) to deploy ransomware.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is