Update! Cytomic’s security lab analyses in its Sodinokibi Malware Report a sample of the popular Ransomware, which became the most lucrative during the last quarter of the year mainly due to attacks targeting companies.

New Year’s Even 2019 wasn’t the best day at Travelex. The British foreign exchange company found itself in the middle of a full-blown crisis. someone external to the organization had accessed all the company’s data. But the problem didn’t stop there: the cybercriminal had also encrypted these files and deleted every backup. In exchange for returning all this information, the criminal demanded a $6 million ransom.

Travelex paid no heed to the attempted blackmail, and didn’t hand over any money. After announcing the cyberattack, the company stated that, despite its having been accesses, their users’ and customers’ private data hadn’t been exposed.

How did this attack happen? As we later found out, it was mainly down to the fact that the company had a series of vulnerabilities in its VPN Pulse servers, and hadn’t fixed these flaws, which acted as a perfect entry point for the attackers.

The threat of Sodinokibi_

Travelex’s computers had been infected with Sodinokibi, a piece of ransomware first seen in April 2019. It is increasingly popular among cybercriminal groups, and began life as a variant of GrandCrab, another piece of ransomware commonly seen in cyberattacks, especially phishing campaigns on large enterprises. In fact, on a forum, the alleged culprits of the attack on Travelex admitted to having used GrandCrab code to create Sodinokibi.

During 2019, a progressive increase was reported in companies that suffered attacks by organized cybercriminals where they used this type of Ransomware. The RaaS (Ramsonware as a Service) model added to the sophistication, complexity and possibility of establishing persistence of this ransomware made it the most lucrative during the last quarter of the year, surpassing the Ryuk Ransomware by almost 8%. The security experts of our laboratory collect in this report all the details of the comprehensive analysis of the Sodinokibi ransomware.

This ransomware’s process is split into three basic steps:

1.- Entry and infection. Sodinokibi uses the vulnerability CVE-2019-2725, found in the servers of Oracle WebLogic applications, to encrypt the infected user’s files. On each device, it uses a different, random extension.

2.- Destruction of backups. As if encryption weren’t enough, the ransomware also accesses all backups and deletes them completely. This way, the victim cannot resort to a previous version of their files to recover any lost information.

3.- Ransom. To finish, the cybercriminals get in touch with the affected company asking for a million dollar ransom in exchange for returning their files and restoring the system.

How can we tackle Sodinokibi?_

The ideal victim of this ransomware are large enterprises and public institutions, which, because of their structure, have three elements that are irresistible to cybercriminals. Firstly, they store much more information than smaller companies. Secondly, this information is much more sensitive. Finally, the assumption is that this kind of company has enough money to be able to pay a million-dollar ransom, regardless of whether it pays up or not.

To avoid this kind of issue, enterprises and organizations that wish to stay safe from Sodinokibi must take the following measures:

1.- Protect endpoints. Endpoints are always the way in for any cyberattack, which means that they must be protected. In this sense, Cytomic EPDR combines preventive endpoint technologies in a single solution, with EDR capacities and the Zero-Trust Application Service. Thanks to these technologies, Cytomic EPDR can get ahead of, detect and respond to any kind malware, both known and unknown, fileless and malwareless attacks. The Zero-Trust Application Service stops malware from running on computers, servers, virtual environments and mobile devices.

2.- Update the system Many of Travelex’s problems were caused by the company not updating its system after vulnerabilities were discovered. Updating the system is a vital step.

3.- Remote backups. Given that Sodinokibi destroys all backups on the devices and systems it infects, its potential victims must have remote backups that no one else can access.

4.- Phishing. Beyond technologies and operative details, employee awareness is one of the keys to avoiding becoming a victim of phishing, which are often the point of entry for ransomware.

A piece of ransomware that had an impact in 2019_

Sodinokibi is one of the strains of ransomware that is already making waves at the start of 2020. However, the fact is that it was in 2019 that it started to make a name for itself: the servers of the Municipal Institute of Employment and Business Development in Zaragoza were infected, and its nearly 70 employees were unable to work. Also among its victims were several city halls in the State of Texas; Albany International Airport in New York; and more recently, Artech Information Systems. In this last case, all of the company’s stolen information was published online.

All of this suggests that we’re likely to see an increasing amount of incidents involving this ransomware over the next few months. As such, companies and public institutions must take all of the prevention measures mentioned above, such as appropriate endpoint protection, updates, backups, and full awareness among all employees.