Operators of Sodinokibi — one of the biggest ransomware threats currently targeting enterprise organizations — appear to have hit on a new tactic to try and generate extra money from victims.
Security researchers at Symantec recently spotted a Sodinokibi ransomware campaign where the attackers are scanning the networks of their targets for credit-card or point-of-sale (POS) data. It is unclear whether the attackers are targeting the data for encryption or they view it as another way to make money from their victims.
Symantec reported observing the attackers in the latest campaign using the Cobalt Strike penetration-testing tool to deliver Sodinokibi on victim networks. At least eight organizations — most of them large, multisite entities — were found to have the Cobalt Strike tool on their systems. Three of those organizations — one each from the healthcare, food, and services sectors — were later infected with Sodinokibi, the security vendor said in a report Tuesday.
The attackers have demanded as much as $50,000 in Monero cryptocurrency from the victims if paid within the first three hours, or $100,000 if paid later. Symantec says it has not been able to determine how the attackers gained initial access to the victim networks in the latest campaign; typical tactics have included the use of phishing emails and exploiting vulnerabilities in an organization's Internet-facing infrastructure. In some cases, the attackers have opened accounts on infected systems to maintain persistence.
"Adversaries are always looking for creative ways to increase profit from their attack campaigns," says Symantec cyber intelligence analyst Jon DiMaggio.
In the current campaign, the Sodinokibi attacker is leveraging all resources across the victim's infrastructure to maximize profits. "This indicates they are not solely interested in obtaining a ransom," DiMaggio says. "They are looking for other ways to potentially make a profit."
It is likely the attacker would deploy POS-scanning malware to extract credit-card details, if they would POS systems on a victim network, he says.
Sodinokibi has emerged as one of the most prolific ransomware strains since it first surfaced in April 2019, at least partly because it is being distributed under a ransomware-as-a-service model. Several security vendors have described the malware (aka REvil) as being used mostly in attacks against large organizations with the resources to pay big ransoms to get their data back.
The malware's more notable victims include foreign exchange service Travelex, which reportedly paid some $2.3 million earlier this year to recover data following a New Year's Eve attack on its systems. Sodinokibi has also been associated with an attack on A-list celebrity law firm Grubman Shire Meiselas & Sacks earlier this year.
Data Exposure Threat
In recent months, Sodinokibi has been used in campaigns where threat actors have stolen sensitive, business-critical data from victim organizations before encrypting the data. The attackers have then threatened to publicly release the data if the victim organization refused to pay the demanded ransom. Earlier this month, the group behind Sodinokibi launched a website through which it plans on auctioning stolen data to interested buyers.
"This is a relatively new tactic seen only by a few groups of organized ransomware attackers," DiMaggio says. The intent is to embarrass the victim by releasing sensitive business data or even data associated with the victim's customers, thereby making them potentially liable for damage, he says.
Sodinokibi emerged right around the time the operators of the equally destructive GandCrab ransomware family announced their "retirement" after collecting a reported $2 billion in ransom money from victims worldwide. Many believe the GandCrab group is now behind Sodinokibi as well.
In its report this week, Symantec described the threat actors behind the latest Sodinokibi campaign as using a combination of custom malware and legitimate tools and infrastructure to carry out attacks. Examples include the use of a remote admin tool from NetSupport to distribute malware components, the use of code-hosting service Patebin to host Cobalt Strike and Sodinokibi, and Amazon CloudFront service for command-and-control purposes.
The goal in using these services to host malicious payloads and communicate with infected systems is to ensure the malicious activity is hidden within an organization's legitimate traffic. Defenders may overlook network connections to legitimate infrastructure and therefore allow malicious activity to continue on their networks, DiMaggio says.
Targeted ransomware attacks are on the rise, so it is vital for organizations to bolster their endpoint security and have data backup and recovery plans in place in the event they are attacked. Also important is for organizations to deploy controls for detecting the misuse of legitimate tools and services on their networks.
"In almost every targeted enterprise ransomware attack, the adversary is present on the network for a period of time prior to deploying the ransomware," DiMaggio says. During this time they are using legitimate tools in the environment as well as additional publicly available tools and malware, such as the credential-stealing Mimikatz to expand their presence.
"Identifying the misuse of these legitimate tools or the use of publicly available hack tools within the targeted environment presents an opportunity to stop the attack before it begins," he says.