Sodinokibi Scans Compromised Networks for Payment Software

Summary

The Sodinokibi ransomware variant – also known as REvil – is now scanning compromised networks for payment card and Point-of-Sale (PoS) software. Researchers at Symantec are unsure if the threat actors are targeting this software for encryption or with the intent to extract payment data and monetize it by using it directly or selling it on underground forums. The attackers are using the Cobalt Strike commodity malware to deliver the ransomware to victims. Eight of the affected organizations had the Cobalt Strike commodity malware on their systems, with three of the victims subsequently infected with the Sodinokibi ransomware. Recent victims infected with Sodinokibi were in the services, food, and healthcare sectors. In late 2019, Sodinokibi was one of the first ransomware variants to begin stealing victim data in their operations and threaten its release if their ransom demand is not met. At the beginning of this month, their tactics evolved further, now threatening to auction stolen data if the ransom is not paid.

Recommendations

The NJCCIC recommends following the recommendations within the Ransomware: Risk Mitigation Strategies guide to reduce their risk of falling victim to ransomware and to reduce the impact if victimized. This includes having a comprehensive data backup plan that requires keeping multiple tested backups off the network, with at least one in a separate and secure location. Details on the recent Sodinokibi activity can be found in the Symantec blog post.