Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:15 PM
Connect Directly

Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign

Making extra money from victims appears to be the goal, Symantec says.

Operators of Sodinokibi — one of the biggest ransomware threats currently targeting enterprise organizations — appear to have hit on a new tactic to try and generate extra money from victims.

Security researchers at Symantec recently spotted a Sodinokibi ransomware campaign where the attackers are scanning the networks of their targets for credit-card or point-of-sale (POS) data. It is unclear whether the attackers are targeting the data for encryption or they view it as another way to make money from their victims.

Symantec reported observing the attackers in the latest campaign using the Cobalt Strike penetration-testing tool to deliver Sodinokibi on victim networks. At least eight organizations — most of them large, multisite entities — were found to have the Cobalt Strike tool on their systems. Three of those organizations — one each from the healthcare, food, and services sectors — were later infected with Sodinokibi, the security vendor said in a report Tuesday.

The attackers have demanded as much as $50,000 in Monero cryptocurrency from the victims if paid within the first three hours, or $100,000 if paid later. Symantec says it has not been able to determine how the attackers gained initial access to the victim networks in the latest campaign; typical tactics have included the use of phishing emails and exploiting vulnerabilities in an organization's Internet-facing infrastructure. In some cases, the attackers have opened accounts on infected systems to maintain persistence.

"Adversaries are always looking for creative ways to increase profit from their attack campaigns," says Symantec cyber intelligence analyst Jon DiMaggio.

In the current campaign, the Sodinokibi attacker is leveraging all resources across the victim's infrastructure to maximize profits. "This indicates they are not solely interested in obtaining a ransom," DiMaggio says. "They are looking for other ways to potentially make a profit."

It is likely the attacker would deploy POS-scanning malware to extract credit-card details, if they would POS systems on a victim network, he says.

Sodinokibi has emerged as one of the most prolific ransomware strains since it first surfaced in April 2019, at least partly because it is being distributed under a ransomware-as-a-service model. Several security vendors have described the malware (aka REvil) as being used mostly in attacks against large organizations with the resources to pay big ransoms to get their data back.

The malware's more notable victims include foreign exchange service Travelex, which reportedly paid some $2.3 million earlier this year to recover data following a New Year's Eve attack on its systems. Sodinokibi has also been associated with an attack on A-list celebrity law firm Grubman Shire Meiselas & Sacks earlier this year.

Data Exposure Threat
In recent months, Sodinokibi has been used in campaigns where threat actors have stolen sensitive, business-critical data from victim organizations before encrypting the data. The attackers have then threatened to publicly release the data if the victim organization refused to pay the demanded ransom. Earlier this month, the group behind Sodinokibi launched a website through which it plans on auctioning stolen data to interested buyers.

"This is a relatively new tactic seen only by a few groups of organized ransomware attackers," DiMaggio says. The intent is to embarrass the victim by releasing sensitive business data or even data associated with the victim's customers, thereby making them potentially liable for damage, he says.

Sodinokibi emerged right around the time the operators of the equally destructive GandCrab ransomware family announced their "retirement" after collecting a reported $2 billion in ransom money from victims worldwide. Many believe the GandCrab group is now behind Sodinokibi as well.

In its report this week, Symantec described the threat actors behind the latest Sodinokibi campaign as using a combination of custom malware and legitimate tools and infrastructure to carry out attacks. Examples include the use of a remote admin tool from NetSupport to distribute malware components, the use of code-hosting service Patebin to host Cobalt Strike and Sodinokibi, and Amazon CloudFront service for command-and-control purposes.

The goal in using these services to host malicious payloads and communicate with infected systems is to ensure the malicious activity is hidden within an organization's legitimate traffic. Defenders may overlook network connections to legitimate infrastructure and therefore allow malicious activity to continue on their networks, DiMaggio says.

Targeted ransomware attacks are on the rise, so it is vital for organizations to bolster their endpoint security and have data backup and recovery plans in place in the event they are attacked. Also important is for organizations to deploy controls for detecting the misuse of legitimate tools and services on their networks.

"In almost every targeted enterprise ransomware attack, the adversary is present on the network for a period of time prior to deploying the ransomware," DiMaggio says. During this time they are using legitimate tools in the environment as well as additional publicly available tools and malware, such as the credential-stealing Mimikatz to expand their presence.

"Identifying the misuse of these legitimate tools or the use of publicly available hack tools within the targeted environment presents an opportunity to stop the attack before it begins," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
PUBLISHED: 2020-10-29
Broadleaf Commerce 5.1.14-GA is affected by cross-site scripting (XSS) due to a slow HTTP post vulnerability.
PUBLISHED: 2020-10-29
On BIG-IP AFM 15.1.0-, the Traffic Management Microkernel (TMM) may produce a core file while processing layer 4 (L4) behavioral denial-of-service (DoS) traffic.
PUBLISHED: 2020-10-29
On BIG-IP 13.1.0-, 12.1.0-, and 11.6.1-, when negotiating IPSec tunnels with configured, authenticated peers, the peer may negotiate a different key length than the BIG-IP configuration would otherwise allow.
PUBLISHED: 2020-10-29
WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.