Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



New Sodinokibi Ransomware Delivered via Oracle WebLogic Flaw

A critical Oracle WebLogic Server vulnerability patched last week has been exploited by malicious actors to deliver a new piece of ransomware to organizations.

A critical Oracle WebLogic Server vulnerability patched last week has been exploited by malicious actors to deliver a new piece of ransomware to organizations.

The ransomware, named Sodinokibi, is designed to encrypt files and delete backups in an effort to prevent victims from recovering their files without paying a ransom. It has been analyzed by independent researchers, South Korean cybersecurity firm EST Security, Cisco’s Talos research and intelligence group, and others.

Talos researchers were the ones who spotted Sodinokibi being delivered via the recently fixed WebLogic Server flaw. Deploying ransomware via a vulnerability in WebLogic Server can be highly efficient as, unlike in the case of other attack vectors, no user interaction is required.

Oracle WebLogic Server is a Java EE application server that is part of the company’s Fusion Middleware offering. Vulnerabilities affecting this piece of software can be useful to attackers whose campaigns are aimed at enterprises.

According to Talos, the attackers used PowerShell commands to download and execute their malicious files. Talos and others pointed out that the ransomware is designed to allocate a unique alphanumeric extension to encrypted files on each compromised system.

The ransom demanded by the cybercriminals appears to vary. In some cases it’s $1,500 (the equivalent in bitcoin), while in others it’s $2,500. The amount doubles if the ransom is not paid within a specified number of days — some victims were given two days, while others were given six days to pay the ransom before the amount doubled.

Sodinokibi ransomware

One sample uploaded on Tuesday to VirusTotal is detected at the time of writing by 43 of 70 antivirus engines.

Advertisement. Scroll to continue reading.

The WebLogic Server vulnerability used to deliver the malware is CVE-2019-2725, a critical remote code execution issue. Oracle released an out-of-band update to patch the vulnerability on April 26, after several in-the-wild attacks were observed.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers — on April 25, one day before Oracle released patches.

Talos also noted that in one of the attacks the hackers exploited CVE-2019-2725 once again roughly eight hours after deploying Sodinokibi. This time they leveraged the vulnerability to deliver another piece of ransomware, Gandcrab.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” Talos researchers explained.

In addition to ransomware, CVE-2019-2725 has been exploited to deliver cryptocurrency miners and other types of malware. Experts believe it has also likely been exploited in targeted attacks.

Related: Oracle WebLogic Server Flaw Exploited to Deliver Crypto-Miners

Related: Hackers Target Poorly Patched Oracle WebLogic Flaw

Related: Recently Patched Oracle WebLogic Flaw Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.