Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:15 PM
Connect Directly

Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign

Making extra money from victims appears to be the goal, Symantec says.

Operators of Sodinokibi — one of the biggest ransomware threats currently targeting enterprise organizations — appear to have hit on a new tactic to try and generate extra money from victims.

Security researchers at Symantec recently spotted a Sodinokibi ransomware campaign where the attackers are scanning the networks of their targets for credit-card or point-of-sale (POS) data. It is unclear whether the attackers are targeting the data for encryption or they view it as another way to make money from their victims.

Symantec reported observing the attackers in the latest campaign using the Cobalt Strike penetration-testing tool to deliver Sodinokibi on victim networks. At least eight organizations — most of them large, multisite entities — were found to have the Cobalt Strike tool on their systems. Three of those organizations — one each from the healthcare, food, and services sectors — were later infected with Sodinokibi, the security vendor said in a report Tuesday.

The attackers have demanded as much as $50,000 in Monero cryptocurrency from the victims if paid within the first three hours, or $100,000 if paid later. Symantec says it has not been able to determine how the attackers gained initial access to the victim networks in the latest campaign; typical tactics have included the use of phishing emails and exploiting vulnerabilities in an organization's Internet-facing infrastructure. In some cases, the attackers have opened accounts on infected systems to maintain persistence.

"Adversaries are always looking for creative ways to increase profit from their attack campaigns," says Symantec cyber intelligence analyst Jon DiMaggio.

In the current campaign, the Sodinokibi attacker is leveraging all resources across the victim's infrastructure to maximize profits. "This indicates they are not solely interested in obtaining a ransom," DiMaggio says. "They are looking for other ways to potentially make a profit."

It is likely the attacker would deploy POS-scanning malware to extract credit-card details, if they would POS systems on a victim network, he says.

Sodinokibi has emerged as one of the most prolific ransomware strains since it first surfaced in April 2019, at least partly because it is being distributed under a ransomware-as-a-service model. Several security vendors have described the malware (aka REvil) as being used mostly in attacks against large organizations with the resources to pay big ransoms to get their data back.

The malware's more notable victims include foreign exchange service Travelex, which reportedly paid some $2.3 million earlier this year to recover data following a New Year's Eve attack on its systems. Sodinokibi has also been associated with an attack on A-list celebrity law firm Grubman Shire Meiselas & Sacks earlier this year.

Data Exposure Threat
In recent months, Sodinokibi has been used in campaigns where threat actors have stolen sensitive, business-critical data from victim organizations before encrypting the data. The attackers have then threatened to publicly release the data if the victim organization refused to pay the demanded ransom. Earlier this month, the group behind Sodinokibi launched a website through which it plans on auctioning stolen data to interested buyers.

"This is a relatively new tactic seen only by a few groups of organized ransomware attackers," DiMaggio says. The intent is to embarrass the victim by releasing sensitive business data or even data associated with the victim's customers, thereby making them potentially liable for damage, he says.

Sodinokibi emerged right around the time the operators of the equally destructive GandCrab ransomware family announced their "retirement" after collecting a reported $2 billion in ransom money from victims worldwide. Many believe the GandCrab group is now behind Sodinokibi as well.

In its report this week, Symantec described the threat actors behind the latest Sodinokibi campaign as using a combination of custom malware and legitimate tools and infrastructure to carry out attacks. Examples include the use of a remote admin tool from NetSupport to distribute malware components, the use of code-hosting service Patebin to host Cobalt Strike and Sodinokibi, and Amazon CloudFront service for command-and-control purposes.

The goal in using these services to host malicious payloads and communicate with infected systems is to ensure the malicious activity is hidden within an organization's legitimate traffic. Defenders may overlook network connections to legitimate infrastructure and therefore allow malicious activity to continue on their networks, DiMaggio says.

Targeted ransomware attacks are on the rise, so it is vital for organizations to bolster their endpoint security and have data backup and recovery plans in place in the event they are attacked. Also important is for organizations to deploy controls for detecting the misuse of legitimate tools and services on their networks.

"In almost every targeted enterprise ransomware attack, the adversary is present on the network for a period of time prior to deploying the ransomware," DiMaggio says. During this time they are using legitimate tools in the environment as well as additional publicly available tools and malware, such as the credential-stealing Mimikatz to expand their presence.

"Identifying the misuse of these legitimate tools or the use of publicly available hack tools within the targeted environment presents an opportunity to stop the attack before it begins," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-25
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.