true
Blog OSINT Threat Report: A Closer Look at Sodinokibi and Gandcrab - Week of August 19

OSINT Threat Report: A Closer Look at Sodinokibi and Gandcrab - Week of August 19

Welcome to our OSINT Threat Report, a weekly digest of trending threats reported by TruSTAR platform users. Related posts here.

pasted image 0 (1)

GandCrab was the most reported malware on TruSTAR this week. There is growing consensus in the OSINT community that GandCrab has been repacked as Sodinokibi (aka Sodin or REvil).

Why should this matter to companies and security practitioners in our community? Two things stand out: Cost of compromise and superior TTPs.

Cost of Compromise

If they can land, Gandcrab and Sodinokibi go for huge ransoms. Most ransomware targeting enterprises seek on average $50,000, compared to Sodinokibi which seeks anywhere from $150,000 up to $500,000. Given the spike in this strain of ransomware, cybersecurity insurance companies are expressing deep concerns.

Superior TTPs

According to Krebs on Security, "a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as REvil, Sodin, and “Sodinokibi." More and more security researchers are finding evidence to support this. In addition to copying GandCrab's best tools and tricks, Sodinokibi also takes them a step further.

The actors behind Sodinokibi target MSSPs in order to more easily install ransomware on the networks of multiple companies. This is a newer threat vector that is worth watching. Not only is this a gutsy move, but it’s also effective and could potentially lead to a situation wherein MSSPs have to drastically increase their own security position, small and medium business may be forced to handle their security in-house so as to reduce their attack surface, or same said companies can't entirely trust their MSSPs.

Sodinokibi also leverages former zero-day CVE-2018-8453 which grants it admin access to the target’s computer. This allows it to do things like disable security software or other protection features even on accounts that typically wouldn't have such permission. This particular vulnerability, which leverages the Win32k component present on Windows 7 through 10 and Server editions to escalate permissions, was used by the FruitArmor APT last year in one of its campaigns.

Recommended Mitigation Steps

  • Disable macro on Microsoft Office products.
  • Deny public IPs access to RDP port 3389.
  • Block SMB port 445. Even better, block all unused ports. 
  • Make sure that all software (especially MS products such as Office) and hardware are kept up to date
  • Provide regular cybersecurity training in general and phishing training in particular to your employees
  • Apply attachment filtering to email messages.
  • Keep regular backups, preferably multiple backups, with at least some that are not connected to the Internet.

 

View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:

View Report on TruSTAR

 

Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: 

Download .txt File

  

OSINT Threat Report: Nemty, the New Ransomware on the Block - Week of September 16 Welcome to our OSINT Threat Report, a weekly digest of trending threats reported by TruSTAR platform users. Related posts here. Read More
OSINT Threat Report: The Evolution of Trickbot - Week of August 26 Welcome to our OSINT Threat Report, a weekly digest of trending threats reported by TruSTAR platform users. Related posts here. Read More
OSINT Threat Report: Top Three Malware NJRat, Pony, Gandcrab - Week of July 31 Welcome to our OSINT Threat Report, a weekly digest of trending threats reported by TruSTAR platform users. Related posts here. Read More