Content, Content, Ransomware

Sodinokibi Ransomware Attacks: Symantec Research Findings

Sodinokibi (aka REvil) ransomware attackers are targeting large healthcare, services and food chains using commodity malware to deliver payloads to targeted victims.

Since emerging a little over a year ago, Sodinokibi has been one of the most prolific targeted ransomware strains, involved in a number of high-profile incidents. Not only has it been used to hobble large corporate game, it has also infected thousands of clients conduited via managed service providers (MSPs) and consulting firms.

The cyber hackers in this operation aren’t content to infiltrate corporate networks with Sodinokibi. They are also hedging their bets by scanning the networks of some victims for bank card credentials gained through point-of-sale (PoS) software, security software provider  Symantec said in a new report. Cyber swindlers often rely on PoS systems, which are prominently positioned in retail stores, to drain personal information from unsuspecting victims.

In this campaign, it’s not clear if the crew was looking for PoS software to encrypt or trying to skim more money from the score if the targeted victims couldn’t meet their ransom demands, Symantec’s researchers said.

Eight organizations had Cobalt Strike malware on their systems, an off-the-shelf threat emulation tool sometimes used to load shellcode on compromised machines. Three of the eight prey were subsequently infected with the Sodinokibi ransomware, Symantec said. Of the known victims both the food companies and the services businesses are large, multi-site outfits the cyber extortionists may have figured could pay a substantial ransom. However, that may not have been the case with the healthcare organization, which is smaller than the others and whose systems were scanned by the attackers for PoS software, Symantec said.

“It may be that the attackers realized might not be in a position to pay the large ransoms usually demanded in a Sodinokibi attack, and so scanned for PoS software to determine if they could profit from the compromise in another way. Or they may have been scanning for this kind of software simply to encrypt it,” Symantec said.

At this point, it’s not clear if any of the targeted victims met the cyber kidnappers’ ransom demands, which amounted to $50,000 if paid inside of three hours up to $100,000 thereafter in non-traceable Monero cryptocurrency.

Symantec didn’t say whether Harvest Food Distributors, a San Diego, California-based operation sporting a national network and its parent company, Detroit, Michigan-headquartered Sherwood Food Distributors, which last month were hit by Sodinokibi hackers, were the food chains attacked in these instances. The two companies supply megamarket chains Kroger, Albertsons, Sprouts and others. The attackers demanded $7.5 million in ransom payments.

Tactics employed in this attack campaign are those commonly used by targeted ransomware gangs. According to Symantec’s researchers, the hackers are using code-hosting service Pastebin to host the Cobalt Strike malware and Sodinokibi and Amazon’s CloudFront service for their command and control infrastructure to communicate with compromised systems. The thinking is that traffic to and from a legitimate service is more likely to blend in with an organization’s legitimate traffic and less likely to be blocked, Symantec said.

“Once on a network, the attackers take various steps to reduce the chance they will be detected and to increase the chances of their attack working,” Symantec said. Following the initial infection, the cyber muggers attempt to disarm security software so their presence can’t be detected and enable remote desktop connections so they can use them to launch malicious commands. As for pilfering personal credentials lifted from PoS software, the attackers have been observed adding fake user accounts, “presumably in an attempt to maintain persistence on victim machines and also in a further attempt to keep a low profile on victim networks,” Symantec said.

Scanning victims’ systems for PoS software isn’t typically seen in conjunction with targeted ransomware attacks. It may have been opportunistic or signal an emerging new tactic, the security specialist said. “One thing that is clear is the actors using Sodinokibi are sophisticated and skilled and show no sign that their activity is likely to decrease anytime soon,” Symantec said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.