Sodinokibi Ransomware
The Sodinokibi Ransomware is a file-locker Trojan that is targeting vulnerable servers using any of several Oracle Fusion Middleware product currently. Since there is a patch for this issue, server admins should install the update immediately to prevent the Trojan from locking their files with encryption. Corporate users are at high risk from an attack and having a backup is the only recovery method that malware experts can endorse, along with keeping anti-malware tools for removing the Sodinokibi Ransomware.
Getting a Taste of Ransom-Soaked Grain
A new file-locker Trojan that doesn't seem like an immediate offspring of Ransomware-as-a-Service families like the Scarab Ransomware or the Globe Imposter Ransomware is seeing significant distribution against vulnerable corporate entities. The Sodinokibi Ransomware, whose name translates from Japanese to 'ground millet,' is taking advantage of a software weakness almost as soon as it became public in late April. However, only servers using Oracle Fusion Middleware are at risk.
The attacks are leveraging a critical deserialization issue, CVE-2019-2725, that gives threat actors the leeway for executing commands remotely, and affects WebLogic versions 10.3.6 and 12.1.3. This exploit lets them drop and install Trojans like the Sodinokibi Ransomware or, in one unusual follow-up case, the GandCrab Ransomware. Although it was, at first, a zero-day exploit, the observation of the Sodinokibi Ransomware campaign's abusing it prompted action from Oracle Corporation, which is providing a security update.
Some of the Sodinokibi Ransomware's features that malware experts can confirm being present include locking files with an unknown encryption algorithm, wiping the ShadowVolume Copy backups through shell commands, adding extensions to the hostage documents and other media, and leaving behind a Notepad ransoming message. The latter is asking for a minimum of over a thousand USD for the unlocking help of the campaign's threat actors with a deadline before the cost doubles.
Pouring Out Your Bowl of the Sodinokibi Ransomware
Because the Sodinokibi Ransomware's campaign is targeting corporate entities for its exploitation, server administrators in vulnerable companies should be watchful over any infection vectors. Servers with the affected software should receive the relevant updates immediately, along with scans for verifying no placement of threats beforehand. Unlike most infection techniques that malware experts see in use, a vulnerability like CVE-2019-2725 doesn't require a victim's clicking on a corrupted file or, otherwise, assisting directly with the installation of a threat.
Users that interrupt the Sodinokibi Ransomware in the middle of its attack may prevent the complete deletion of any Shadow Volume Copies or default Windows backups. This recovery option is, however, obviously, far from a guarantee, and malware experts have yet to analyze the Sodinokibi Ransomware's encryption algorithms for estimating the decryption possibilities. Keep backups of your servers and other files on appropriately secure and external devices, and use standard anti-malware products for uninstalling the Sodinokibi Ransomware or blocking an infection attempt.
A Trojan assault isn't always the fault of the defender even though the 'safe bet' inclines in that direction. Sometimes, the only responsible factor is a structural flaw in software that only its developers – and criminals – know exists.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.