Sodinokibi Ransomware Group Adds Malvertising as Delivery Technique

Attackers behind a relatively new ransomware family called Sodinokibi (detected by Trend Micro as RANSOM.WIN32.SODINOKIBI.A) have been continuously exploring different delivery vectors since April: malicious spam, vulnerable servers, and even managed server providers (MSPs). Given the aggressive experimentation with distribution, this ambitious new player in the ransomware landscape seems to be trying to gain momentum and spread quickly. On June 23, threat analyst nao_sec found the ransomware using another new delivery technique — it was being distributed by malvertising that also directs victims to the RIG exploit kit.

Nao_sec reported to Bleeping Computer that the malicious advertisements pushing Sodinokibi were on the PopCash ad network, and certain conditions would redirect users to the exploit kit. The analyst was also able to demonstrate how the ransomware was installed via malvertising.

Past Sodinokibi incidents

In late April, it was reported that a hacking group was trying to abuse a critical vulnerability in Oracle’s WebLogic server to spread the Sodinokibi ransomware. This was particularly dangerous because the ransomware didn’t require user interaction — it usually involves tricking a victim into enabling a malicious macro or click a link to download the ransomware. In this case, the hackers simply used the vulnerability to push the ransomware onto WebLogic servers. In May, a malicious spam campaign was seen targeting German victims. The spam was camouflaged as foreclosure statements. The urgency of the mail pressures victims into enabling macros to access a malicious attachment which downloads the ransomware.

Earlier this month, a hacking group abused MSPs to deploy the ransomware onto customer networks. According to reports, three major MSPs were breached through exposed remote desktop endpoints (RDPs). From these compromised endpoints, the hackers were able to move further into the compromised systems. They were able to uninstall AV products and abuse the management software (used by MSPs to oversee workstations) to execute malicious script on remote workstations and install the Sodinokibi ransomware.

[READ: Narrowed Sights, Bigger Payoffs: Ransomware in 2019]

How to defend against ransomware

Sodinokibi is now using an array of vectors to infect victims. Patching and updating is important in defending against this ransomware, particularly because most of the vulnerabilities they are abusing already have available fixes. Users need to update their systems and equip themselves with the latest versions of their software and hardware.

Since Sodinokibi also relies on other techniques, such as sending spam or phishing emails, and continues to add more delivery methods to their arsenal, it is important for organizations to implement security best practices:

  • All of the organization’s users should back up their data regularly to ensure that data can be retrieved even after a successful ransomware attack.
  • Users should be wary of suspicious emails; avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source.
  • Restrict the use of system administration tools to IT personnel or employees who need access.

Trend Micro Ransomware Solutions

Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud.  Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.

Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.