A New York-based firm, Grubman Shire Meiselas & Sacks
that offers legal services to the entertainment and media industries including
Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah
Carey and Mary J. Blige and Priyanka Chopra, has been hit by a ransomware
attack.
Cybercriminals attack law firm using the REvil ransomware
(also known as Sodinokibi). Hackers are now threatening to release the 756
gigabytes of data allegedly stolen - including Telephone numbers, Email
addresses, non-disclosure agreements, client contracts and personal
correspondence. However, celebrity law firm is declining to settle up and now
attackers have multiplied the ransom request to $42 million and threatened to
publish the information they have claimed to have "a ton of dirty
laundry" about President Trump.
Since this information is in public domain, you can get
further update from any NEWS channel or websites. Here I'm going to share
complete details of REvil ransomware.
REvil
ransomware -
REvil, also known as Sodinokibi, Bluebackground, or Sodin,
is a ransomware that is backed by an underground affiliate program, uses wide range of tactics to distribute the
ransomware and earn 30% to 40% commission. It appeared in the first half of 2019.
It exploited vulnerabilities in remote services such as Oracle WebLogic platform
(CVE-2019-2725) and carried out attacks on MSP providers. Oracle vulnerability was easy for attackers to
exploit, as anyone with HTTP access to the WebLogic server could carry out an
attack.
Execution Method –
Hackers utilized the CVE-2019-2725 vulnerability to execute
a PowerShell command on Oracle WebLogic server. Doing so allowed them to upload
a dropper to the server, which then installed the payload — the Sodin
ransomware. Patches for the bug were released in April, however, a similar
vulnerability was discovered — CVE-2019-2729 later.
REvil gets onto users’ machines in different ways using
MSPs. In few examples, the attackers used the Webroot and Kaseya remote
access consoles to implant the Trojan. In other cases, hackers penetrated
MSP infrastructure using an RDP connection, gained privileges, deactivated
security solutions and backups, and then downloaded ransomware to client
computers.
Sodinokibi or REvil ransomeware collects some basic system
information and saves it to the registry with the generated encryption
parameters. If the dbg option is not in the config, the UI language
and keyboard layout values are checked, and the malware will simply exit on
systems.
Business Model –
Sodinokibi or REvil ransomeware works on Ransomware-as-a-Service
(RaaS) model. Sodinokibi has 41 active affiliates program. Each affiliate's
version of Sodinokibi gets customized with a unique ID so that they can receive
payments. Sodinokibi affiliates keep 60 to 70 percent of every ransom
payment.
In July 2019, Sodinokibi advertisers posted a
recruitment announcement on a popular hacking forum UNKN. They
mentioned in advertisement that they were looking for experienced individuals
to expand their activity and it was a private operation with "limited
number of seats" available.
The forum post stressed that it’s forbidden to do business
in the Commonwealth of Independent States (CIS) region, including Ukraine,
Russia, Belarus, and Moldova.
You can see below some of their attacks post their hiring
process.
§
August 2019, Sodin attack 22 local
administrations in Texas and demanded a collective ransom of $2.5
million.
§
August 2019 : Hacker attack a remote data
backup service and encrypted files from dental practices in the U.S.
§
December 2019 : Hacker hit another IT vendor serving hundreds of
dentistry practices, infecting clients’ computers by exploiting a vulnerable
remote access tool.
§
December 2019 : They claim that they attack against
the CyrusOne data center. As per UNKN claim, they have stolen files from the company before
encrypting their network.
§
December 2019 : Developers changed their ransom note
over the holidays to include a new message wishing the victims a "Merry
Christmas and Happy Holidays".
§
December 2019, they attack Travelex and the company has to take offline all its
computer systems.
§
January 2020 : Sodinokibi threatened to publish
data stolen from GEDIA Automotive Group, a German automotive supplier. They
published a MS Excel spreadsheet containing an AdRecon report with
information on an Active Directory environment.
§
February 2020 : the operators of the Sodinokibi
Ransomware (REvil) started urging
affiliates to copy their victim's data before encrypting computers .
§
February 2020 : the operators of Sodinokibi Ransomware published download
links to files containing what they claim is financial and work documents and customers' personal data stolen from U.S.
fashion house Kenneth Cole Productions.
Prevention –
We recommend the following actions to
prevent these kind of ransomware attack.
Ø
A little bit of extra vigilance and don’t open
dubious-looking emails.
Ø
Maintain up-to-date backups of the most
important files.
Ø
Take seriously the storing of passwords for
remote access.
Ø
Use two-factor authentication.
Ø
Log and centrally collect web, application, and
operating systems events.
Ø
Restrict the account access used to run the
WebLogic process.
Ø
Monitor for Egress network communications from
data center systems.
Ø
Unexpected activity of service or system
accounts (WebLogic user).
Ø
Scan and mitigate your vulnerability posture.
Ø
Restrict outbound Data Center communications.
Ø
Always ready for Disaster Recovery, including
maintaining and testing data backups and recovery.
Conclusion -
Sodinokibi, REvil, Sodin – regardless of what you call it, it's the dangerous
ransomware on the cyberthreat map now. The
REvil attackers use zero-day exploit to distribute ransomware and zero-day
exploitation technique could work on otherwise fully-patched systems. Its
developers seem to always have new unpredicted tricks up their sleeve, and perfect
crypto implementation means that victims must pay up otherwise they will lose
all their data.
