The prevalent visibility of numerous ransomware families persuasively transforms the contemporary threat landscape, resulting in a significant increase of targeted and state-of-the-art attacks on the enterprises. Take the REVil/Sodinokibi gang, for instance. The ransomware appeared in April 2019 and dug a considerable dent in the enterprises since its arrival. 

REvil aka Sodinokibi- The Dark World of Evil RaaS

After reappearing as REvil/Sodinokibi aka Sodin, the RaaS have emerged as more deadly and sophisticated, eyeing manufacturing, supply chains, constructions, engineering, energy, media and communications, and a lot more small and large scale sectors across the US, Europe, Asia, and Canada among others for executing high-profile cyberattacks.

Blood Money and Espionage

Inheriting all the sinister characteristics of its much successful predecessor GandCrab, the ransomware strain involves similar affiliates for spreading the peril. The REvil/Sodinokibi ransomware makes an average ransom of over $3,00,000 via its TOR site per victim. Out of which 20-30% money goes to the core team, the rest of the payment gets directed to their affiliates.

Read More: Sarbloh: The Ransomware With NO Demand

The REvil/Sodinokibi operators often exfiltrate victim’s data before applying the extortion tactics. Keeping a backup helps the ransomware operator threaten the victims unwilling to pay the ransom. Sometimes they leak parts of the data on an auction site referred to as The Happy Blog to threaten the victims for selling them off to the criminals or competitors.

Besides making money, the group also got involved in cyber espionage. There are instances where the operator had targeted defence contractors and organisations.

After successfully intruding into the victim’s machine, the ransomware strain encrypts the configuration and user data using elliptic curve Diffie-Hellman (ECDH), Salsa20, SHA-3 and Advanced Encryption Standard (AES). Post encrypting, the malware uses Curve25519, one of the fastest elliptical-curve cryptography (ECC), to generate private and public keys.

The Prolonged Prey List of Sodinokibi

The Sodinokibi attacker group proudly holds a long prey list on which they include big target enterprises almost every week. And the latest inclusions are JBS, the largest meat exporter globally and the electronic conglomerate FujiFilm. However, the long list of victims also includes numerous high-profile enterprises such as CyrusOne, Artech Information Systems, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, Travelex, SeaChange International, Albany International Airport, Kenneth Cole, Asteelflash, Pierre Fabre, and Quanta Computer.

Read More: Covid-19, Ransomware, Phishing And A Few Actionable Tips To Swear By

The Propagation 

Old School Methods

The earlier version of REvil/Sodinokibi ransomware exploited an Oracle WebLogic Server Vulnerability (CVE-2019-2725) or spam documents to access the victim’s machine. Once it gets in, the ransomware manipulates user rights to retrieve all the files and resources of the system.

The ransomware has also shown instances where it loaded itself in the memory of PowerShell via reflective loader technique to execute itself as a fileless malware instead of an on-disk file execution.

The ransomware was also found abusing malspam emails loaded with spear-phishing links/attachments, illegitimate RDP access, compromised sites, and a range of exploits.

Contemporary Attack Method

According to the Federal Bureau of Investigation’s (FBI) official statement, the REvil and Sodinokibi group were held responsible for the ransomware attack on JBS dated June 1, 2021.

For the attack, the bad actors used QBot malware to execute the initial infection operation.

The QBot malware was spread via a spam email campaign loaded with a malicious Excel file attachment. Once the victim opens the email and clicks on the malicious extension, the Excel file would download a DLL file to spread the infection on the victimised network.

Read More: Top tips to stay safe from ransomware

The K7 Solution

Being in the cybersecurity business for over 30 years, K7 Computing has developed an indigenous anti-malware engine to offer impermeable security against the prevalent malware families. The powerful engine, combined with multiple detection techniques, has helped us create Avant-garde anti-malware suites to secure different enterprises and end-users. Keeping up with the rising malware plague, we continuously overhaul our cybersecurity suites to offer superior security to our customers. K7 Security solutions offer multi-layered protection to thoroughly safeguard and keep the awful actors at bay from your systems and networks.

The behaviour-based detection technology loaded with all the K7 security solutions can detect Mal-downloading activity such as QBot and mitigate the possible danger before any damage gets caused.

Our Multi-layer detection detects and blocks the Sodinokibi and REvil ransomware activities at several levels, such as File-based detection filter as “Trojan ( 0054e3e21 )” and “Trojan ( 00577e3b1 )”, and Behaviour-based detection filter as “Suspicious Program( ID 709002 )” and “Suspicious Program( ID 41005 ).” 

With inputs from K7 Labs

Like what you're reading? Subscribe to our top stories.

2018 K7 Computing. All Rights Reserved.