The threat actor behind the Sodinokibi ransomware was observed scanning the victim networks for credit card or point of sale (POS) software.
Sodinokibi, Symantec’s security researchers reveal, was found on the networks of three organizations that had been previously infected with the Cobalt Strike commodity malware.
An off-the-shelf tool, Cobalt Strike is employed by a broad range of threat actors, including multiple ransomware gangs. Even WastedLocker, the most recent ransomware developed by Dridex operators, is being distributed using a Cobalt Strike loader.
The Sodinokibi ransomware was deployed on the environments of organizations in the services, food, and healthcare sectors, which appear to have been chosen due to their size (they are primarily large, even multinational), as the attackers were looking to receive large ransom payments.
Victims were asked to pay $50,000 in the Monero cryptocurrency, if the ransom is paid within the first three hours. After that, the ransom amount would increase to $100,000.
Legitimate tools, Pastebin, and Amazon’s CloudFront service were used to perform attacks, host the payloads (the Cobalt Strike malware and Sodinokibi), and for command and control (C&C) purposes, respectively.
After compromising a network, the attackers would attempt to disable security software to minimize chances of being detected. They would also enable remote desktop connections and target credentials to maintain persistence.
The Sodinokibi ransomware was deployed on the systems of three organizations. Of the three, two victims (in the services and food industries) were large, while the last (a healthcare organization) appears to have been a smaller operation.
The security researchers discovered that the attackers also scanned the third victim’s systems for POS software, likely in an attempt to monetize the intrusion after realizing the organization might not be able to pay a large ransom. However, it is also possible that the hackers were scanning for this type of software simply to encrypt it.
“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks. It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs,” Symantec concludes.
Sodinokibi (aka REvil), was first observed in April 2019, likely operated by the actor behind the GandCrab ransomware, who retired in June 2019, claiming $2 billion in proceeds. Sodinokibi is now believed to be operated as a ransomware-as-a-service (RaaS).
One of Sodinokibi’s victims was British-based foreign currency company Travelex, which reportedly paid $2.3 million to regain access to the encrypted data.
Related: New Sodinokibi Ransomware Delivered via Oracle WebLogic Flaw
Related: Christmas Ransomware Attack Hit New York Airport Servers