The SonicWall Capture Labs Threat Research Team have observed reports of Sodinokibi, ransomware that exploits a deserialization vulnerability in Oracle WebLogic servers (CVE-2019-2725) as its primary infection vector. The exploit has also been used by other attackers to install crypto miners, info stealers and botnets. The attackers charge $1500 USD in Bitcoin for file decryption if the ransom is paid within 7 days. If the ransom is not paid within this period it doubles to $3000 USD.
Infection Cycle:
The trojan uses the following icon:
Upon infection, the following text and background is displayed on the desktop:
It makes the following DNS query:
It creates the following files:
It adds the following keys to the registry:
It executes the following command to disable startup repair and remove Windows shadow copies:
It encrypts files on the system and gives each file an extension consisting of a random alphanumeric string. In this case "2cb12ec9".
0vhra-readme.txt contains the following message:
The following link is provided in the message:
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B3EC8BB678B73C19
It is a webpage that is located on the tOR network:
Pressing "SUBMIT" or opening the second link (http://decryptor.top/B3EC8BB678B73C19) leads to the following page:
SonicWALL Capture Labs provides protection against this threat via the following signatures:
Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
Share This Article
An Article By
An Article By
Security News
Security News