Sodinokibi Ransomware Exploits Windows Bug to Elevate Privileges

Posted by & filed under Security Alerts.

The Sodinokibi ransomware is looking to increase its privileges on a victim machine by exploiting a vulnerability in the Win32k component present on Windows 7 through 10 and Server editions.

The file-encrypting malware stepped into the limelight in April when it started to exploit a critical vulnerability in Oracle WebLogic.

Global spread

Sodinokibi, a.k.a. REvil, also exploits CVE-2018-8453, security researchers found, a vulnerability discovered and reported by Kaspersky, that Microsoft patched in October 2018.

Kaspersky uses the name Sodin to refer to this strain of ransomware and telemetry data shows detections in small areas on the globe, most of them recorded in the Asia-Pacific region: Taiwan (17.56%), Hong Kong, and South Korea (8.78%).

Other countries where Sodinokibi was detected are Japan (8.05%), Germany (8.05%), Italy (5.12%), Spain (4.88%), Vietnam (2.93), the U.S. (2.44%), and Malaysia (2.20%).

In a technical analysis on Wednesday, Kaspersky details how the malware manages to achieve SYSTEM privileges and describes how it functions.

“Stored in encrypted form in the body of each Sodin sample is a configuration block containing the settings and data required for the Trojan to work.”

The configuration code includes fields for the public key, ID numbers for the campaign and the distributor, for overwriting data, file extensions that should not be encrypted, names of the processes it should kill, command and control server addresses, ransom note template, and one for using an exploit to get higher privileges on the machine.

Two separate encryptions for the private key

The Sodinokibi sample analyzed by Kaspersky uses a hybrid scheme to encrypt data, meaning that it applies a symmetric algorithm (Salsa20) for the files and elliptic curve asymmetric encryption for the keys.

The researchers found that the ransomware stores in the registry both the public key – which encrypts the data, and the private key for decrypting the files.

“When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key.”

One peculiarity noticed by the researchers is that the private key is also encrypted with a second public key, which is encoded in the malware; the result is also saved in the registry.

The malware authors may have done this on purpose, so they can also decrypt the data, not just the operator that spreads Sodinokibi. It could be a precaution if the distributor disappears, or a way to get a larger cut of the profits.

After encrypting the files, Sodinokibi appends a random extension that is different for each computer it infects. Both the key and the extension need to be entered on a website set up by the cybercriminals specifically for showing victims how much they have to pay to get their files back.

The malware discriminates between targets and terminates on computers with keyboard layouts specific to certain countries: Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Moldova, Uzbekistan, and Syria.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.