CyberWire Daily - Sodinokibi aka REvil connections to GandCrab. [Research Saturday]
Episode Date: November 16, 2019Researchers at McAfee's Advanced Threat Research Team have been analyzing Sodinokibi ransomware as a service, also known as REvil. John Fokker is head of cyber investigations for McAfee Advanced Thre...at Research, and he joins us to share their findings. The research is here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So Nukibi, the story was we first encountered it when we were doing our research into Gantcraft.
That's John Fokker. He's head of cyber investigations
for McAfee Advanced Threat Research. The research we're discussing today is titled
McAfee ATR Analyzes Sodinokibi, aka our evil ransomware as a service, what the code tells us.
That was another ransomware version, very prolific in 2018, halfway 2019. And at the end of Gantcrab,
we start to see some strange things
in the affiliate structure that people were missing.
So we're like, where are the big players?
Where do they go?
And at that time, actually one of our industry peers,
I think it was Cisco,
they reported on SodaNokibi.
They were using the WebLogic vulnerability
and it caught our attention.
So I was like, that's interesting.
They're doing some pretty sophisticated stuff and they're hitting targets. And we were also in contact with other
industry peers and other companies doing IR and incident response. And the name kept popping up.
Actually, I had some trouble pronouncing the name the first week when I encountered it.
I think everybody does. And I'm familiar with that, yes. It really came up and then it popped the headline news that it was targeting MSPs, managed service providers.
And then it really caught our attention.
We're like, well, we need to do something better and some digging deeper into this because it has similarities to GainCap that we saw.
But what is going on?
We were curious to see what was behind Sodino Kiwi.
Let's describe what we're talking about here.
What is the basic functionality and purpose of Sodeno Kiwi?
Well, it's ransomware.
And the basic purpose is extortion.
So they are hunting for victims, infecting victims.
And what they do a little bit differently from the run-of-the-mill is that they try to infect a lot of victims within one network.
So one of their specific targets, as I mentioned before, are MSPs, managed service
providers. So they will try to go after a managed service provider, try to infect the managed
service provider completely. They can do that using legitimate tools or pen test tools that you
see. And when they've gained full control through the managed service provider, they try to reach
out to their customers as well. So you have one node to many nodes, and then they infect them all at once.
And by doing so, they get a really, really large victim base, and they have to pay up a big amount.
Either the victims pay themselves, or they're evil enough, they also offer a price to the MSP, which is much, much higher, mostly tenfold higher, to get their data
back. And they know who they are infecting. So they have knowledge of the victims to a certain
extent. And what are you tracking here in terms of who they're targeting? Does it seem like they're
focusing on anyone in particular? We've seen all things across the board from, as you might have
seen in the headline news in Texas municipalities, all the way to MSP that's catering to dentist practices.
But on the other end of the scale, and that's what we wrote about in one of our blogs, we also run a network of honeypots and they managed to infect our honeypots as well.
That's also one of the reasons why it got our attention.
And these honeypots had a RDP weakness in them. So you
were able to break in with brute forcing the RDP credentials. And we saw some QB being dropped on
that as well. Well, let's walk through it together. There's a section here in your research about
reversing the code. Can you take us through step by step what's going on? There's a lot of
similarity to a lot of other ransomware versions. So they do the language check and they check for certain languages.
And if that language pack is installed or that keyboard setting is installed, for instance,
former Soviet Union countries, we call them CIS countries, they wouldn't encrypt that
system.
Interesting enough that Soren Nekibi also has Romanian or the Moldovan language pack,
which is currently used a lot in Romania as well,
as well as Iran and Syria.
And Syria we saw with Gancrab.
And Iran is also interesting.
We believe that it has to do with the affiliates that they can select.
I don't want my sample to encrypt any of my fellow countrymen.
That's probably to evade prosecution.
And when it's done, all the checks and balances,
it will drop the virus.
It's interesting that we could also saw
that they pulled down PowerShell code.
They have all kinds of methodologies.
We've seen several things
and they would lock down your whole system.
And they're relatively quick in doing so too.
When they start to encrypt it,
they build a configuration file.
And that configuration file
that has all the details for the virus and that configuration file, we'll be able to extract and
we can get some other telemetry from it. And it will tell you like, okay, what files to exclude?
What are the command and control server addresses to reach out to? What is the affiliate ID? What's
the campaign ID and things like that. When we compare it,
it has to Gantcrab, because that was the other competitor. And we see similarity to the way
URLs are generated. And that has a very, very similar function, almost identical to the one
that's in Gantcrab. That was for us an interesting observation too.
Yeah. Is the notion here that perhaps the folks who developed this had access
to the source code for GantCram? Yeah, you phrased it absolutely right. There's a lot of speculation
going on between all the vendors because everybody wants to state it. And I understand it. And from
McAfee, and I have to say, we've done extensive research, the whole team, we toned down this and you stated it absolutely
correct. There are functions within Sonokibi that show a high similarity with Gancrab,
and that could indicate that at some point they had either access to the source code,
which could be the case, or some people will go to say they're former developers, but
we don't have all those answers. But based on that, we do think that there has been some kind of sharing
we'll be indicating voluntarily, but that there is a code overlap.
So it's an important time they have to have access to portions of the code of Gantt-Kram.
It also has the functionality that it can work as a wiper.
Yes, that is a function you could program in your config file,
and then it wipes stuff. But it's detrimental to the whole ransomware campaign because Soda
Mokibi actually is proud for the fact that their decryptor works really well. So if you wipe stuff,
you won't get it back. And that's not in interest of the actor, but it could hint on destructive purposes. So you could
repurpose Sodom and Kibbe for even more evil deeds. But the indication that we have seen,
it's mostly focused on financials. So they will always have a possibility to get your files back.
And they're proud of that too. Because a lot of ransomwares that a crypto doesn't work right.
I think the last time we spoke, we spoke about Riot, that they had a lot of mistakes in it. And so Ruby is actually proud, like, hey, if you pay us, you'll get your files
back. We have 100% or near 100% guarantee of decryption. It's interesting to think about
the criminals hanging their hat on that, taking pride in their work in that sort of way.
It is a very interesting dynamic, yes.
In terms of the encryption itself, then what's going on under the
hood and what in your estimation is the level of sophistication that they're using here?
Under the hood, it's very solid. We've been looking at Gancrep for a while. That was
quite solid as well. We actually managed to build several vaccines. And for Gancrep,
there were several decryptors. Their ransomware, their use of
encryption, they know what they're doing. It's powerful. We haven't found any flaws yet. There's
no public decryptors out there. So they know their stuff. They're good in that case.
And what are they doing in terms of obfuscation and hiding themselves as they're going about
their business? Well, it has several functions to do that. One of the interesting things is that it
downloads the actual payload. We see it going back to a pastebin site. So it doesn't even,
when you get infected first, it doesn't directly get delivered on your system, but your computer
beacons out to a pastebin site and pulls down the code from there. It has some frivolous
escalation techniques. It has several other functions. One of the has some privileged escalation techniques it has several other functions one of
the privileged escalation techniques is cv the 2018 8453 heaven's gate they're really on point
they do some pretty good stuff and and i'm not the most technical one i have to admit one we have
that's why it's a team effort our team is we have some really talented reverses and he said and he
as well so like wow i've looked at gangrab and at other ransomware, but these guys know what they're
doing. They obfuscate strings inside their malware, all kinds of little tricks just to
make it a little bit harder for our own reversers. And in terms of people protecting themselves
against this, what are your recommendations? I would suggest getting a good AV.
We do see that RDP is heavily targeted. So make sure your RDP access, if you have it, is locked
down or no access. Make sure you update and patch it, that you're not vulnerable to the latest
exploit, the CVE-2019, was it, I think, 07, 08, or the Blue Keep vulnerability.
I'm doing it just in the top of my head.
And if you have men as service providers, because they predominantly target businesses,
have that frank discussion with your MSP and say, hey, how are you accessing my network?
Are you using multi-factor authentication?
Or are you just jumping in on a high privileged account? These are things that I think are very important to take a close look at
the people who you trust within your network, within your organization, who you work with,
your suppliers, and see how their security system is set up. And backups, obviously backups,
and predominantly offsite when you have them, and have some backups not connected to the network.
And the most essential stuff that you have to run your business, back that up and store it because these actors, they know where to look.
If you have backups that are connected to the network, they know where to find that.
Do you have any sense for the growth of this?
In other words, is the proliferation of Sardinia Kibi increasing or are they staying about the same?
Are they decreasing?
How successful do you suppose they are?
They're very successful.
In one of our other blogs, we traced the income of a couple of actors, affiliates who openly stated that they're working for a new ransomware version.
And we linked two and two together that it has to be Sotinikibi.
That is scary.
It's about $300,000 in one weekend.
And one of the actors had a, well, I can call it like a cold store or his ransomware savings. And
that was exceeding four and a half million dollars. So, we're dealing with people with
deep pockets. That's the scary thoughts that they have, that type of stuff. And it's not
slowing down. I look at the actors on
the forums and sometimes they say, well, okay, the developers might say, well, we'll take a break or
we need new people to join our program. But judging and speaking to my industry peers,
we see it come back and come back. And it's often in the headlines. And that's the words
and thought that they're successful at what they do.
Yeah, it's interesting to me that how ransomware has become sort of part of the ecosystem. It doesn't seem like it's going anywhere.
No, no. Extortion is one of the oldest crimes. And I think one of the earliest forms of ransomware,
they actually made you do a money transfer or wire transfer to a bank account in Panama. I think that was with the
AIDS ransomware. With the Bitcoin coming, we had the first affiliate programs with CryptoWall and
CTB Locker. And now we see that there's more with SamSam, the more targeted attacks are coming.
And we're dealing with a maturity curve with the actors that used to be that the actors trying to spread out the ransomware are not the most sophisticated, but we see a maturity curve with the actors that are, they used to be that the actors trying to spread out
the ransomware are not the most sophisticated, but we see a maturity curve of them as well.
And they're getting better and better. They're using exploits for remote management software
to infect complete networks and systems. They have RDP cracking crews, as we call them. So they
outsource the labor to other people who en masse try to break in computer systems
by brute forcing RDP credentials.
And from there, they actually act as a legitimate pentesting team, almost.
I run a red team within McAfee, and they launch similar techniques, and they use similar tools
as my team does, just in order to get a better
feel of the network, get all the high-privileged accounts, get complete control. And when they
have that control, then they can launch their attacks. So it is evolving. It's scary. And I'm
worried where it's going. Yeah. As you look towards the horizon, what do you see? Where do
you suspect we are going? If you look at the horizon right now, we see from where we have the spray and pray attacks,
where there's one system infected, now they're going to a whole network. The attention on local
government and on corporate networks, I think in the short term or near future, I think an
additional thing would be that they will try to milk that network even more. So before encrypting it,
exfiltrating data, then encrypting it. And then later on, if it's sensitive information,
or it's information at the end of the quarter, turn back to the company and say like, hey,
we've got this sensitive information for you. We stole this and we want to disclose this. So you
have to pay us again, something like that. Or because they are on a network and they're exposed to a lot of sensitive and maybe personal data,
use and harvest credit cards of other, and that's already happening on a smaller scale with other ransomware versions as well.
Harvest credit card credentials and all these things from the users on the network.
So you could be an employee and then all of a sudden you get a fraud charge on your card.
And then two days or three days later, certain Kibi hits, for instance. I think that's
the stuff we might be seeing in the future. Our thanks to John Fokker from McAfee for joining us.
The research is titled McAfee ATR Analyzes Sodinokibia. our evil ransomware as a service, what the code tells us.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.