Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:15 PM
Connect Directly

Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign

Making extra money from victims appears to be the goal, Symantec says.

Operators of Sodinokibi — one of the biggest ransomware threats currently targeting enterprise organizations — appear to have hit on a new tactic to try and generate extra money from victims.

Security researchers at Symantec recently spotted a Sodinokibi ransomware campaign where the attackers are scanning the networks of their targets for credit-card or point-of-sale (POS) data. It is unclear whether the attackers are targeting the data for encryption or they view it as another way to make money from their victims.

Symantec reported observing the attackers in the latest campaign using the Cobalt Strike penetration-testing tool to deliver Sodinokibi on victim networks. At least eight organizations — most of them large, multisite entities — were found to have the Cobalt Strike tool on their systems. Three of those organizations — one each from the healthcare, food, and services sectors — were later infected with Sodinokibi, the security vendor said in a report Tuesday.

The attackers have demanded as much as $50,000 in Monero cryptocurrency from the victims if paid within the first three hours, or $100,000 if paid later. Symantec says it has not been able to determine how the attackers gained initial access to the victim networks in the latest campaign; typical tactics have included the use of phishing emails and exploiting vulnerabilities in an organization's Internet-facing infrastructure. In some cases, the attackers have opened accounts on infected systems to maintain persistence.

"Adversaries are always looking for creative ways to increase profit from their attack campaigns," says Symantec cyber intelligence analyst Jon DiMaggio.

In the current campaign, the Sodinokibi attacker is leveraging all resources across the victim's infrastructure to maximize profits. "This indicates they are not solely interested in obtaining a ransom," DiMaggio says. "They are looking for other ways to potentially make a profit."

It is likely the attacker would deploy POS-scanning malware to extract credit-card details, if they would POS systems on a victim network, he says.

Sodinokibi has emerged as one of the most prolific ransomware strains since it first surfaced in April 2019, at least partly because it is being distributed under a ransomware-as-a-service model. Several security vendors have described the malware (aka REvil) as being used mostly in attacks against large organizations with the resources to pay big ransoms to get their data back.

The malware's more notable victims include foreign exchange service Travelex, which reportedly paid some $2.3 million earlier this year to recover data following a New Year's Eve attack on its systems. Sodinokibi has also been associated with an attack on A-list celebrity law firm Grubman Shire Meiselas & Sacks earlier this year.

Data Exposure Threat
In recent months, Sodinokibi has been used in campaigns where threat actors have stolen sensitive, business-critical data from victim organizations before encrypting the data. The attackers have then threatened to publicly release the data if the victim organization refused to pay the demanded ransom. Earlier this month, the group behind Sodinokibi launched a website through which it plans on auctioning stolen data to interested buyers.

"This is a relatively new tactic seen only by a few groups of organized ransomware attackers," DiMaggio says. The intent is to embarrass the victim by releasing sensitive business data or even data associated with the victim's customers, thereby making them potentially liable for damage, he says.

Sodinokibi emerged right around the time the operators of the equally destructive GandCrab ransomware family announced their "retirement" after collecting a reported $2 billion in ransom money from victims worldwide. Many believe the GandCrab group is now behind Sodinokibi as well.

In its report this week, Symantec described the threat actors behind the latest Sodinokibi campaign as using a combination of custom malware and legitimate tools and infrastructure to carry out attacks. Examples include the use of a remote admin tool from NetSupport to distribute malware components, the use of code-hosting service Patebin to host Cobalt Strike and Sodinokibi, and Amazon CloudFront service for command-and-control purposes.

The goal in using these services to host malicious payloads and communicate with infected systems is to ensure the malicious activity is hidden within an organization's legitimate traffic. Defenders may overlook network connections to legitimate infrastructure and therefore allow malicious activity to continue on their networks, DiMaggio says.

Targeted ransomware attacks are on the rise, so it is vital for organizations to bolster their endpoint security and have data backup and recovery plans in place in the event they are attacked. Also important is for organizations to deploy controls for detecting the misuse of legitimate tools and services on their networks.

"In almost every targeted enterprise ransomware attack, the adversary is present on the network for a period of time prior to deploying the ransomware," DiMaggio says. During this time they are using legitimate tools in the environment as well as additional publicly available tools and malware, such as the credential-stealing Mimikatz to expand their presence.

"Identifying the misuse of these legitimate tools or the use of publicly available hack tools within the targeted environment presents an opportunity to stop the attack before it begins," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...