Episode 4: Crescendo
This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019.
In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate groups spreading Sodinokibi ransomware.
Since May we have observed several different modus operandi by different affiliates, for example:
Distributing the ransomware using spear-phishing and weaponized documents
Bat-files downloading payloads from Pastebin and inject them into a process on the operating system
Compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network
Compromise of Managed Service Providers and usage of their distribution software to spread the ransomware
To understand more about how this enemy operates, we in McAfee Advanced Threat Research (ATR) decided to operate a global network of honeypots. We were aware of the lively underground trade market of RDP credentials and were curious about what someone would do with a compromised machine. Would they distribute the Sodinokibi ransomware? Would they execute the DejaBlue or BlueKeep exploits? Our specially designed and built RDP honeypots would give us those insights.
Like Moths to a Flame
From June until September 2019, we observed several groups compromise our honey pots and conduct activities related to Sodinokibi; we were able to fully monitor attackers and their actions without their knowledge.
It is important to note the golden rule we operated under: the moment criminal actions were prepared or about to be executed, the actor would be disconnected and the machine would be restored to its or ..
Support the originator by clicking the read the rest link below.
