Sodinokibi/REvil Ransomware: The Evasive Threat

Overview

Sodinokibi, also known as REvil, is a highly prolific and sophisticated ransomware-as-a-service (RaaS) operation active since at least April 2019. Initially observed primarily in Asia, its activity has expanded significantly to include Europe and other regions. The group’s ransomware is highly evasive, employing various techniques to bypass antivirus detection. Strong evidence suggests a connection to the creators of the GandCrab ransomware, a previously dominant player in the ransomware landscape. Sodinokibi’s operations are financially driven, with the group demonstrating a willingness to publicly leak stolen data from victims who refuse to pay ransoms.

Known Aliases of Sodinokibi Ransomware

• Sodinokibi
• REvil
• Sodin
• Gold Southfield
• UNKN
• Unknown
• White Ursia

Country of Origin

While the precise country of origin remains unconfirmed, strong indicators point towards a connection to Russia or other countries within the Commonwealth of Independent States (CIS) region, given the language-based restrictions in their ransomware’s code and statements from actors on underground forums.

Most Recent Attacks Involving Sodinokibi Ransomware

• Travelex (December 2019): A significant attack on the foreign exchange company Travelex, resulting in the encryption of over 5GB of data and a ransom demand of $6 million. The attack reportedly leveraged a vulnerability in Pulse Secure VPN (CVE-2019-11510).
• Artech Information Systems (January 2020): After a ransom was not paid, the group publicly released stolen data from this victim.
• Numerous other victims: The group has targeted a wide range of organizations across various sectors, though specific details on many attacks are not publicly available due to the nature of ransomware attacks and non-disclosure agreements. The RaaS model suggests a large number of less-publicized attacks by affiliates.

MITRE ATT&CK Tactics and Techniques Used by Sodinokibi Ransomware

• T1134.001: Access Token Manipulation: Token Impersonation/Theft
• T1134.002: Access Token Manipulation: Create Process with Token
• T1071.001: Application Layer Protocol: Web Protocols (HTTP, HTTPS)
• T1059.001: Command and Scripting Interpreter: PowerShell
• T1059.003: Command and Scripting Interpreter: Windows Command Shell
• T1059.005: Command and Scripting Interpreter: Visual Basic
• T1485: Data Destruction
• T1486: Data Encrypted for Impact
• T1140: Deobfuscate/Decode Files or Information
• T1189: Drive-by Compromise
• T1573.002: Encrypted Channel: Asymmetric Cryptography (ECIES)
• T1480.002: Execution Guardrails: Mutual Exclusion
• T1041: Exfiltration Over C2 Channel
• T1083: File and Directory Discovery
• T1562.001: Impair Defenses: Disable or Modify Tools
• T1562.009: Impair Defenses: Safe Mode Boot
• T1070.004: Indicator Removal: File Deletion
• T1105: Ingress Tool Transfer
• T1490: Inhibit System Recovery
• T1036.005: Masquerading: Match Legitimate Name or Location
• T1112: Modify Registry
• T1106: Native API
• T1027.011: Obfuscated Files or Information: Fileless Storage
• T1027.013: Obfuscated Files or Information: Encrypted/Encoded File
• T1069.002: Permission Groups Discovery: Domain Groups
• T1566.001: Phishing: Spearphishing Attachment
• T1055: Process Injection
• T1012: Query Registry
• T1489: Service Stop
• T1082: System Information Discovery
• T1614.001: System Location Discovery: System Language Discovery
• T1007: System Service Discovery
• T1204.002: User Execution: Malicious File
• T1047: Windows Management Instrumentation
• T0828: (ICS) Loss of Productivity and Revenue
• T0849: (ICS) Masquerading
• T0886: (ICS) Remote Services
• T0853: (ICS) Scripting
• T0881: (ICS) Service Stop
• T0869: (ICS) Standard Application Layer Protocol
• T0882: (ICS) Theft of Operational Information
• T0863: (ICS) User Execution

Methods of Attack/Infiltration Used by Sodinokibi Ransomware:

The group uses a multi-stage attack process:

1. Initial Infection: Phishing emails containing malicious links or attachments are the primary delivery method. Exploiting publicly known vulnerabilities in software is also used.
2. Payload Delivery: Malicious JavaScript files, often obfuscated, are executed. These scripts download or deobfuscate further payloads (PowerShell scripts and .NET modules).
3. Privilege Escalation: Techniques like UAC bypass are used to gain system-level privileges.
4. Payload Injection: The final ransomware payload is injected into a legitimate process, such as AhnLab antivirus (targeting a specific vendor) or a PowerShell process, to evade detection.
5. Encryption: Files are encrypted using strong encryption, and a ransom note is displayed.
6. Data Exfiltration (Optional): In some cases, data is exfiltrated before encryption, and is released publicly if the ransom is not paid.
7. C2 Communication: Encrypted information about the compromised system is sent to the attacker’s command-and-control (C2) servers.

Malware/Ransomware Strains of Sodinokibi Ransomware:

The primary malware used is the Sodinokibi/REvil ransomware itself. The initial infection vector often involves obfuscated JavaScript and PowerShell scripts, working as loaders for the final ransomware payload.