The ransomware is being actively distributed in the wild through Managed Service Providers, exploit kits and spam campaigns.
The ransomware has been designed to target systems running the Windows operating system.
Sodinokibi, also known as Sodin or REvil is the new king of ransomware. The ransomware which believed to make huge profits as GandCrab is still actively used against organizations across the globe. The malware leverages vulnerable Managed Service Providers, exploit kits, spam campaigns or flawed servers to propagated across systems.
Who is behind the malware?
The notorious ransomware is likely being distributed by attackers affiliated with those that distributed the infamous GandCrab ransomware family, which is supposed to have retired on the underground forum.
How does it operate?
Once the ransomware is installed, it creates a .txt file named ‘[PATH TO ENCRYPTED FILES][RANDOM EXTENSION]-HOW-TO-DECRYPT.txt’. Then it issues the following commands to delete Shadow Volume Copies and disable Windows Startup repair.
After this, Sodinokibi encrypts files on the compromised server and appends the encrypted files with random extension that is unique for each compromised computer.
The ransomware encrypts files with specific extensions that includes .Jpg, .Jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif and .psd.
Once the malware completes its encryption process, Sodinokibi changes the desktop wallpaper and drop a ransom note. The notes contain instructions about the decryption process. The ransom note also provides instructions on how to make the payment to have the files decrypted. These ransom notes contain unique keys and links to the payment site.
Propagation by exploiting vulnerabilities
Threat actors have also managed to dist ..
Support the originator by clicking the read the rest link below.
