The threat actor behind the Sodinokibi ransomware was observed scanning the victim networks for credit card or point of sale (POS) software.
Sodinokibi, Symantec’s security researchers reveal, was found on the networks of three organizations that had been previously infected with the Cobalt Strike commodity malware.
An off-the-shelf tool, Cobalt Strike is employed by a broad range of threat actors, including multiple ransomware gangs. Even WastedLocker, the most recent ransomware developed by Dridex operators, is being distributed using a Cobalt Strike loader.
The Sodinokibi ransomware was deployed on the environments of organizations in the services, food, and healthcare sectors, which appear to have been chosen due to their size (they are primarily large, even multinational), as the attackers were looking to receive large ransom payments.
Victims were asked to pay $50,000 in the Monero cryptocurrency, if the ransom is paid within the first three hours. After that, the ransom amount would increase to $100,000.
Legitimate tools, Pastebin, and Amazon’s CloudFront service were used to perform attacks, host the payloads (the Cobalt Strike malware and Sodinokibi), and for command and control (C&C) purposes, respectively.
After compromising a network, the attackers would attempt to disable security software to minimize chances of being detected. They would also enable remote desktop connections and target credentials to maintain persistence.
The Sodinokibi ransomware was deployed on the systems of three organizations. Of the three, two victims (in the services and food industries) were large, while the last (a healthcare organization) appears to have been a smaller operation.
The security researchers discovered that the attackers also scanned the ..
Support the originator by clicking the read the rest link below.
