GandCrab was the most reported malware on TruSTAR this week. There is growing consensus in the OSINT community that GandCrab has been repacked as Sodinokibi (aka Sodin or REvil).
Why should this matter to companies and security practitioners in our community? Two things stand out: Cost of compromise and superior TTPs.
Cost of Compromise
If they can land, Gandcrab and Sodinokibi go for huge ransoms. Most ransomware targeting enterprises seek on average $50,000, compared to Sodinokibi which seeks anywhere from $150,000 up to $500,000. Given the spike in this strain of ransomware, cybersecurity insurance companies are expressing deep concerns.
According to Krebs on Security, "a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as REvil, Sodin, and “Sodinokibi." More and more security researchers are finding evidence to support this. In addition to copying GandCrab's best tools and tricks, Sodinokibi also takes them a step further.
The actors behind Sodinokibi target MSSPs in order to more easily install ransomware on the networks of multiple companies. This is a newer threat vector that is worth watching. Not only is this a gutsy move, but it’s also effective and could potentially lead to a situation wherein MSSPs have to drastically increase their own security position, small and medium business may be forced to handle their security in-house so as to reduce their attack surface, or same said companies can't entirely trust their MSSPs.
Sodinokibi also leverages former zero-day CVE-2018-8453 which grants it admin access to the target’s computer. This allows it to do things like disable security software or other protection features even on accounts that typically wouldn't have such permission. This particular vulnerability, which leverages the Win32k component present on Windows 7 through 10 and Server editions to escalate permissions, was used by the FruitArmor APT last year in one of its campaigns.
Recommended Mitigation Steps
- Disable macro on Microsoft Office products.
- Deny public IPs access to RDP port 3389.
- Block SMB port 445. Even better, block all unused ports.
- Make sure that all software (especially MS products such as Office) and hardware are kept up to date
- Provide regular cybersecurity training in general and phishing training in particular to your employees
- Apply attachment filtering to email messages.
- Keep regular backups, preferably multiple backups, with at least some that are not connected to the Internet.
View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:
Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: