Sodinokibi Ransomware Increases Yearend Activity, Targets Airport and Other Businesses
The Sodinokibi ransomware (detected as Ransom.Win32.SODINOKIBI family), which was involved in a few high-profile attacks in 2019, ended the year with a bang by launching a new round of attacks aimed at multiple organizations, including the Albany International Airport and the foreign exchange company Travelex.
Albany International Airport experiences Christmas Day attack
The Albany International Airport (ALB) in New York issued a statement that its systems had been compromised by a ransomware attack, eventually confirmed to be a variant of Sodinokibi. The attack, which was discovered on December 25, prevented the airport staff from fully enjoying the holidays as it encrypted administrative documents, but fortunately personal and financial data was spared. In addition, the attack did not manage to cause major disruptions to the airport’s operation. The attack occurred after threat actors managed to infect the network of ALB’s managed services provider, LogicalNet. From there, the ransomware soon spread to the airport’s network and backup servers.
Five days later, ALB’s insurance provider paid the ransom, which officials claimed was “under six figures.”
Sodinokibi victims threatened with the release of stolen data
Traditionally, the worst-case scenario ransomware victims had to endure was the loss of their data. However, the cybercriminals behind Sodinokibi are poised to take it to the next level just like the Maze ransomware group, as they reportedly published stolen data from one of their victims, Artech Information Systems, after their demands were not met within the allotted time.
The release of the data came after they threatened foreign exchange company Travelex that they would release or sell the company’s stolen data if it did not pay ransom — an eye-watering US$6 million. The attack on Travelex, which occurred on New Year’s eve, managed to disrupt operations for 10 days, bringing up a slew of complaints from the company’s customers on social media as they were unable to top up their currency cards or perform transactions.
According to media reports, a person familiar with Travelex’s IT systems noted that machines containing confidential information were among those affected.
How to defend against ransomware
The emergence of ransomware like Sodinokibi and Ryuk has proven that threat actors are looking to evolve their methods, which is in line with Trend Micro’s 2019 midyear security roundup. To help combat ransomware attacks and avoid all the repercussions of a data breach, organizations should always ensure that their applications and systems are always updated to the latest versions to prevent threat actors from exploiting vulnerabilities that could be used to spread ransomware.
Furthermore, organizations are encouraged to adopt the following best practices to further secure their system and network from ransomware attacks:
- Create an effective backup strategy using the 3-2-1 rule.
- Implement network segmentation to create boundaries between important data and the generally accessible portions of the network.
- Increase awareness among employees regarding the main infection avenues of ransomware — particularly email links and attachments.
- Monitor and audit network traffic for any suspicious behaviors or anomalies.
Paying ransom demands are discouraged as not only does it not guarantee the recovery of the encrypted files, it will further encourage cybercriminals to launch more ransomware attacks.
Trend Micro solutions such as the Smart Protection Suites and Worry-Free™ Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report