Home / Blog / Sodinokibi: prevention, identification and response

Sodinokibi: prevention, identification and response

Posted on 04/30/2020, by INCIBE
Sodinokibi

In a previous blogwe discussed the Sodinokibi ransomware and how it works. In it we saw how the RaaS (Ransomware as a Service) model posed a very favorable scenario for an increase in the number of these threats and their rapid spread, since it makes this service available to anyone willing to pay for it, without needing technical expertise.

If we add to this the sophistication, complexity and possibility of establishing persistence of this ransomware, it is necessary to make known some lines of action to be followed should fall victim to it.

Prevention

The best protection against this malicious code is prevention, since only by following recommendations and good practices will we avoid being affected or, at worst, mitigate the negative effects and consequences after a successful attack against our systems. Some of the most important ones are as follows:

  • Make back-ups often and keep them on offline media (offline backup), such as removable hard disks. Thus, the information is beyond the reach of a possible infection. We must remember that one of the ransomware’s primary missions is to make data recovery harder.
  • Keep the operating system and the applications updated. Regularly apply the patches and updates that operating system and software manufacturers periodically release to fix potential vulnerabilities that malware exploits in order to spread and run on outdated computers
  • Always keep antivirus software running and updated. Antivirus software is designed to stop the majority of actions attempted by malware. For effective protection, it’s necessary to keep the signatures updated.
  • Minimum privileges. Avoid using computers with accounts with administrator privileges. Assign users of those accounts with the minimum required permissions to run the programs and carry out their activities. This way, if the malicious code is executed, it will be limited to the possible changes and actions it tries to carry out on the infected computer. As we’ve discussed, the success of Sodinokibi lies in the possibilities of privilege escalation on the infected computer. Many of the threats against Windows systems can be prevented by using non-privileged credentials.
  • Minimum exposure. Limit the company's internal network exposure to the outside, or to information or services that do not need to be accessible from the outside. Firewall solutions should be deployed, to define the internal and external network perimeter, and correctly configured in order to allow exclusive access to necessary applications and services.
  • Installation of specific security applications. Deployment of specific applications, such as anti-spam filters, to reduce the risk of infection, since malicious emails are the main propagation vector of this ransomware. There are also programs that block certain types of code, such as Javascript, to prevent the execution of unauthorized code when visiting websites or opening malicious documents.
  • Network segregation. Segmentation of user computers and servers into different subnets to limit the spread of incidents. The separation of subnets must be done via firewalls with traffic filtering rules.
  • Awareness: Individuals using home or corporate devices should be aware of the risks involved in accessing suspicious sites or exchanging files from questionable sources, and have clear guidelines for identifying emails that contain malicious content or references to websites that might contain them.

Furthermore, in the corporate environment it is especially recommended to follow these additional preparation guidelines:

  • Keep policies and procedures updated. Especially those related to back-up copies, incident management, evidence collection and systems recovery.
  • Create and prepare a technical team capable of providing an effective response to security incidents of this kind.
  • Have updated contact information for members of the response team and internal staff, as well as other external assistance technicians, who may be involved in cyber incident management.
  • Conduct simulations of incidents of this type in order to train skills and validate the technical, operational, management and coordination procedures of the technical security incident response team.
  • Prepare a risk analysis that reflects this threat and include its management in the treatment plan to enable its mitigation.

Identification

Rapid ransomware identification is crucial in order to efficiently respond to the infection. We’ve already seen the various functions it has to hinder its detection by antivirus and other types of security software, such as intrusion detection systems (IDS), so it will be up to the users themselves to identify any suspicious behavior.

Some symptoms that could reveal a computer’s infection with Sodinokibi are:

  • Modification of the desktop background.
  • Intimidating messages for the person operating the computer or asking for payment in order to recover information.
  • Incoming and outgoing network connections by commonly unused ports and protocols.
  • Low performance in the operation of the computer.
  • Disabled operating system or program functions.
  • Delays when browsing the Internet or downloading files.
  • Security alerts from the operating system or antivirus solutions.

mensaje en castellano

- Ransom note. Source: Geek`s advice -

Response

If you suspect an infection of Sodinokibi or any other ransomware, it’s very important to act quickly. If one or more computers become infected for any reason, the response procedures that are carried out can limit the impact of the incident and quickly restart activity.

After detecting the incident and verifying that it’s a ransomware attack, the recommended response procedure is one that includes containment, mitigation, recovery and post-incident phases. Each one is detailed below.

Containment

The first measure is aimed at preventing ransomware from spreading to other systems, in other words, reducing the scope and stopping the spread.

  • Isolate the infected device: Once ransomware is found to have infected a computer, it can spread to others, so reaction time is crucial. It’s vital to disconnect the infected device from the network, the Internet and the rest of devices as quickly as possible.
  • Stopping the spread. Malicious code spreads quickly, and the computer on which the ransomware was found is not necessarily its initial access point, so immediate isolation of an infected computer does not guarantee that it is not present on other devices on the network. To effectively limit the scale of the spread, all devices suspected of being the malware’s entry point, and those where suspicious or abnormal behavior occurs, should be disconnected from the network.
  • Assessing the damages. In order to determine which devices have been infected, all files that have been recently created or renamed, those with strange file extension names, strange file names, or users who have problems opening files should be checked. In this sense, the goal is to create a complete list of all affected systems, including devices stored on the network.
  • Locating the source of the infection. To locate the source, it’s necessary to verify if there are warnings from the antivirus software, intrusion detection systems (IDS) or any active monitoring platform. Reviewing file shares that may have been encrypted can also provide valuable information in trying to locate the source computer of the infection. It is also possible to ask people who operate computers about their recent activity because most ransomware is introduced into systems via email, in messages with links and attachments, which require action by the person receiving it.
  • Identify the ransomware. It’s important to identify the ransomware variant that triggered the attack for mitigation and to confirm that it is Sodinokibi. The first check is to use the information included in the ransom note itself. If the variant is not identified, a conventional Internet search engine can be used to collect information on the data contained in the ransom note, such as e-mail addresses or the reference website. Specific pages specialized in identifying ransomware such as Europol's No More Ransom initiative can also be consulted, in which multiple antivirus manufacturers contribute: https://www.nomoreransom.org/. Another option is to check with the installed antivirus software’s manufacturer or distributor, since these entities usually make information and tools that enable the identification of the same available to their customers and the general public. Furthermore, support is provided by INCIBE-CERT for identifying ransomware in the managed incidents.

Mitigation

Once the ransomware is identified as Sodinokibi, the next step is to eradicate the infection. Depending on its configuration, this ransomware will create log entries to establish persistence in the compromised computer, storing a copy of itself that will run after each restart. Furthermore, it’s able to carry out other actions such as disabling certain security services. The most advisable option is to reinstall the operating system.

Another option is to contact the antivirus software manufacturer or distributor for instructions, or contact your CERT of reference for assistance.

Recovery

In order to restore the system and recover the files seized by Sodinokibi, paying the ransom demanded by the kidnapper shouldn’t even be considered, as there are no guarantees of recovering the information after making the payment, and this also encourages this type of crime.

Before reinstalling the system, we always recommend making a full copy of the disk with the encrypted information so that, if a free decryption solution is found in the future, you’ll be able to recover the data from the encrypted copy.

It's time to assess the available backups and begin the recovery process. The quickest and easiest way to do this is to restore computers and information, once the malicious code has been eradicated, by reinstalling the operating systems and other software and restoring data from the latest unaffected backup.

Post-incident

Once the system has been restored and it is confirmed that there are no traces of ransomware, proceed to analyze what may have caused it, identify the vulnerabilities that made it possible and define a plan of action that allows you to strengthen the system weaknesses, normally by increasing the technical security controls, introducing changes in the typology and network architecture, as well as reinforcing training and awareness plans. All in order to learn from mistakes so they don’t repeat themselves.

Conclusions

The best strategy to defend against attacks is to be prepared for them. Good anticipation will help effectively prevent these from affecting us and to know how to act in case, regrettably, they cannot be avoided.

To do this, in addition to implementing all available technical measures, it will be necessary for users to understand the recommendations and good practices for safe and responsible systems use, always with common sense.

It is worth mentioning that the groups that use Sodinokibi are modifying their behavior, carrying out massive exfiltration of data from the compromised systems prior to encryption. The stolen data is used to extort the affected person in exchange for avoiding the partial or total data dissemination, since this will make the security incident public. Stolen information, in addition to being used as public proof of the incident, can be used for marketing purposes by including confidential internal data and sometimes customer or supplier data.