Threat Management, Malware, Phishing, Ransomware

Sodinokibi ransomware campaigns span growing array of attack vectors

Since its discovery of Sodinokibi ransomware last April, cybercriminals have reportedly been attempting to infect networks with the malicious encryption program through a growing number of vectors, including supply chain attacks, spam, and malvertisements that redirect victims to an exploit kit.

Sodinokibi encrypts data found in the user directory and prevents data recovery by leveraging the Microsoft Windows vssadmin.exe utility to delete any "shadow copies." When first uncovered by researchers at Cisco's Talos division, it was observed spreading via a remotely exploitable vulnerability in the Oracle WebLogic Server.

But in the ensuing two months, Sodinokibi affiliates began spreading the ransomware in a wide variety of manners. Just last week, ZDNet reported that attackers were compromising managed service providers to attack their clients with the ransomware via a supply chain attack.

And Bleeping Computer reported that the malicious actors are similarly compromising software distribution websites to infect their site visitors.
Italian cybersecurity firm TG Soft told the news outlet that a distributor for WinRar in Italy was one such victimized website.

The ransomware attacks executed through MSPs were first reported by users on the r.msp Reddit, who warned that adversaries were accessing MSP networks via Remote Desktop Services and then pushing the ransomware to client endpoints using various management consoles such as Webroot, Kaseya and ConnectWise. (The news reports also received similar intel from Kyle Hanslovan, CEO of Huntress Labs.)

Bleeping Computer also detailed a new phishing campaign, discovered by TG Soft, which sent potential victims spam emails impersonating travel website Booking.com. The emails contained a malicious Word document attachment that would download Sodinokibi from a remote site if the recipient enabled its embedded macros.

And in a follow-up story just yesterday, Bleeping Computer cited a warning from exploit kit researcher nao_sec, who discovered that Sodinokibi was also being distributed via malvertisements
on the PopCash ad network that redirect to the RIG exploit kit.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.