Sodinokibi ransomware is now using a former Windows zero-day

A ransomware strain named Sodinokibi (also Sodin or REvil) is using a former Windows zero-day vulnerability to elevate itself to admin access on infected hosts.

The vulnerability, a privilege escalation flaw known as CVE-2018-8453, had been patched in the October 2018 Patch Tuesday Microsoft security updates after it had previously been used by a state-sponsored hacking group known as FruityArmor since August 2018.

CVE-2018-8453's use with the Sodinokibi ransomware follows a known industry trend where zero-days go from nation-state exploitation to day-to-day criminal operations.

But more surprising here is that the former zero-day was spotted alongside ransomware, rather than other forms of malware. In a report analyzing Sodinokibi, security researchers from Kaspersky have called the use of a privilege escalation flaw "rare among ransomware" because most ransomware usually doesn't employ such tricks.

Backdoor to Sodinokibi encryption

Furthermore, they've also made various other observations about Sodinokibi's modus operandi, including its use of the ancient Heaven's Gate technique to circumvent security solutions like firewalls and antivirus programs.

But the most interesting finding was the discovery of a "skeleton key" in the Sodinokibi code, which works as a backdoor to the encryption process, allowing the Sodinokibi creator to decrypt any file, regardless of the original public & private encryption keys used to lock a victim's data.

This type of mechanism suggests Sodinokibi is being distributed via a ransomware-as-a-service (RaaS) scheme, rather than being directly distributed by its creator(s).

Lots of GandCrab connections

Sodinokibi's rise comes just as the GandCrab ransomware had officially shut down all operations last month.

GandCrab was by far the most active ransomware operation, not only this year but also in 2018. Some members of the infosec community now view Sodinokibi as GandCrab's heir apparent. Others view it as a direct evolution, most likely created by the same group of developers. And there are clues to support that theory.

First, security researchers from Tesorion have highlighted similarities between GandCrab and Sodinokibi's code.

Second, the original Cisco Talos report that first detailed the Sodinokibi ransomware's operation mentioned that crooks were first deploying Sodinokibi on infected hosts, and then running GandCrab, as a backup measure, to make sure a victim's data was infected, in case Sodinokibi failed.

Third, back in February, a threat actor infected thousands of computers by hacking into MSPs (Managed Service Providers) and deploying the GandCrab ransomware. In June, the same thing happened again, but this time the hackers used Sodinokibi.

Fourth, the distribution efforts behind Sodinokibi intensified as GandCrab shut down, with Sodinokibi being distributed via malspam (email spam), exploit kits, and hacked MSPs, similar to how GandCrab used to be distributed in the past.

Fifth, there are those who believe that the GandCrab authors shut down their publicly advertised RaaS service but are still continuing to sell the Sodinokibi ransomware to a private clientele, away from the public eye, security researchers, and, most importantly, law enforcement.

At this point, all of these are just clues and no solid link between the two ransomware strains has been detailed, with some clues of a GandCrab-Sodinokibi collaboration happening months before GandCrab shut down.

This GandCrab-Sodinokibi is a detail that warrants more exploration in the coming months, and from security researchers with more insight into the ransomware world than this reporter.

Related malware and cybercrime coverage:

Comments are closed.