Symantec researchers have spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software.
It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack.
The attackers are using the Cobalt Strike commodity malware to deliver the Sodinokibi targeted ransomware to victims. Eight organizations had the Cobalt Strike commodity malware on their systems, with three of the victims subsequently infected with the Sodinokibi ransomware. The victims infected with Sodinokibi were in the services, food, and healthcare sectors. The companies targeted in this campaign were primarily large, even multinational, companies, which were likely targeted because the attackers believed they would be willing to pay a large ransom to recover access to their systems.
The attackers are aiming to make a lot of money - for victims infected with Sodinokibi the ransom requested is $50,000 in the Monero cryptocurrency if paid within the first three hours, and $100,000 after that.
Tactics, tools, and procedures
The attackers leverage legitimate tools in these attacks, and at one point we observed a legitimate remote admin client tool by NetSupport Ltd being used to install components during these attacks. In April, Symantec threat researchers found evidence of Sodinokibi attackers using similar tactics, when they spotted them using a copy of the AnyDesk remote access tool to deliver malware and other tools in at least two attacks.
The attackers in this campaign also use ‘legitimate’ infrastructure to store their payload and for their command and control (C&C) server. The attackers are using code-hosting service Pastebin to host their payloa ..
Support the originator by clicking the read the rest link below.
