Published on July 5th, 2019 📆 | 5545 Views ⚑
0Sodin Ransomware Exploits Windows Vulnerability to Elevate Privilege
https://www.ispeech.org/text.to.speech
Researchers discovered a new Sodin Ransomware (also known as Sodinokibi) that exploits the Windows Elevation privilege vulnerability resides in the Win32k component.
Sodin ransomware initial attack spotted in April 2019 when it was distributed through an Oracle Weblogic vulnerability to attack MSP providers.
Now it turns into a new form of attack by exploiting the Windows vulnerability, and targeting victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea.
Researchers named the ransomware as Trojan-Ransom.Win32.Sodin that is using the vulnerability (CVE-2018-8453) in Win32k to escalate the highest level of privileges.
The vulnerability initially reported by Kaspersky and the Microsoft fixed this vulnerability was fixedĀ on August 17, 2018.
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode then install programs, view, change, or delete data; or create new accounts with full user rights.
Sodin Ransomware Infection Process
Attackers configured the initial stage of Trojan distributed with encrypted form and the configuration block containing the settings and data.
Attackers employed the Salsa20 symmetric stream algorithm to encrypt the victimās files and the keys for it with an elliptic curve asymmetric algorithm.
According to Kaspersky research, āOnce the Trojan gets launched, it generates a new pair of elliptic curve session keys, in which the public key of this pair is saved in the registry under the nameĀ pk_key and the private key is encrypted using the ECIES algorithmĀ and stored in the registry under the nameĀ sk_key.ā
Once the Sodin Ransomware starts the encryption process, it will generate the new paid of elliptic curve asymmetric keys, and the symmetric key will encrypt the victims file contents with the Salsa20 algorithm.
After the ransomware completely encryption the files, the new extension will be applied in each file and the ransom note is saved next to it while malware-generated wallpaper is set on the desktop.
Meanwhile, behalf of network communication, Trojan sends information about the infected machine to the attackerās command and control server and the sending data is also encrypted.
Attackers instruct to pay the ransom amount by giving a website, in which victims find the step to recover the decryption key to unlock the encrypted files.
Download:Ā Free GDPR Comics Book ā Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy
You can follow us onĀ Linkedin,Ā Twitter,Ā FacebookĀ for daily Cybersecurity updates also you can take theĀ Best Cybersecurity course onlineĀ to keep yourself updated.
Also Read:
NCSC Issued an Emergency Alert for Ryuk Ransomware that Actively Attacks on Global Organizations
End of GandCrab ā New Free Decryptor Tool that let Victims to Unlock All versions of Ransomware Infection
Ransomware Attack Response and Mitigation Checklist
Gloss