Sodinokibi/REvil Ransomware Threat

Malware/Ransomware Threat details:

Name:                     Sodinokibi Ransomware

Description:           Sodinokibi (also referred to as Sodin, Sodi or REvil) is a ransomware strain first detected in April 2019. It has already become one of the most frequently distributed ransomware variants. Sodinokibi is a Ransomware-as-a-Service variant (RaaS).RaaS variants are developed by code authors and spread by affiliates to infect systems and collect a ransom. Sodinokibi specifically will double the demanded ransom amount if the ransom is not paid within seven days.The attackers are using the Cobalt Strike commodity malware to deliver the Sodinokibi targeted ransomware to victims in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. Eight organizations had the Cobalt Strike commodity malware on their systems, with three of the victims subsequently infected with the Sodinokibi ransomware. 

Reference URL:         

ATT&CK STRATEGIES

T1059.002 Supply Chain Compromise

T1562.001 Impair Defenses: Disable or Modify Tools,

T1036 Masquerading 

T1070 Indicator Removal on Host

T1553.002 Subvert Trust Controls: Code Signing

IOCs URL/DOMAIN/HASH VALUE:

URL:

 https://agrotecnicadelsur.es
 http://agrotecnicadelsur.es/?a02023b=664016
         
DOMAIN: 

agrotecnicadelsur.es
maps.googleapis.com
www.agrotecnicadelsur.es
 
IP ADDRESS TO SEARCH SPECIFIC : 

195.78.230.103
dns1.hispalisdns.com
dns2.hispalisdns.com
dns3.hispalisdns.com

HASH VALUES TO BLOCK:
   
File hashes (SHA-256):
f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2
963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec

YARA RULES

The following YARA rule was authored by the VMware Carbon Black Threat Analysis team to catch Sodinokibi Ransomware Variants:

rule Sodinokibi_ransomware_2019_Q3 : TAU ecrime ransomware

{

meta:

author = “Carbon Black TAU” //jmyers

date = “2019-Jun-21”

description = “Designed to catch Sodinokibi Ransomware Variants”

link = “”

rule_version = 1

yara_version = “3.10.0”

Confidence = “Prod”

Priority = “Medium”

TLP = “White”

exemplar_hashes = “200d374121201b711c98b5bb778ab8ca46d334e06f2fc820a2ea7e70c251095e,
32a72f3bc54b65651ec263c11e86738299d172043a9cdd146001780501c75078″

strings:

$s1 = “\\BaseNamedObjects” wide

$s2 = “kernel32.dll” wide ascii

$s3 = “kernelbase.dll” wide

$s4 = “CreateThread”

$s5 = “CloseHandle”

$s6 = “kexpand”

$s7 = {E8 58 3F 00 00}

$s8 = {FF 35 24 E0 01 10}

$s9 = {40 3D 00 01 00 00}

condition:

7 of ($s*)

}