GandCrab Out – Sodinokibi In! Meet The New Sodinokibi Ransomware


GandCrab Out – Sodinokibi In! Meet The New Sodinokibi Ransomware (Jul 22, 2019)

The Ransomware-as-a-Service (RaaS) called “Sodinokibi,” was discovered approximately three months ago and since then it appears that it is filling the void left by now defunct RaaS called GandCrab. Researchers believe that Sodinokibi is more advanced than GandCrab and is distributed via exploitation of an Oracle WebLogic vulnerability, (CVE-2019-2725), malspam and phishing emails with links and/or attachments, malvertisements leading to the RIG exploit kit, and compromised managed service providers. An infected machine will have its desktop picture changed to a notice of file encryption and provides a ransom notice to pay approximately $1,300 USD (0.13490081 bitcoins) for the decryptor.

Recommendation: Always be on high alert while reading email, particularly when it originates from external senders and/or message that are not expected. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.