Inside Out Security Blog   /     /  

April 2021 Malware Trends Report

April 2021 Malware Trends Report


    This report is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.

    Success Story of the Month

    One of our customers, a large manufacturing company, experienced a malware and ransomware infection and their key admin accounts were compromised.

    The manufacturer called the Varonis Forensics Team to investigate the infected machines, find the infected files, and help build a timeline of the malicious activity.

    The Forensics Team exported the event log and master file table (MFT) from the infected devices and found several suspicious files.

    The suspicious files contained malicious functionality and malware samples:

    • Variants of Qbot and Sodinokibi.
    • The payload for both malware variants came in the form of DLL files, which require specific parameters to execute.
    • The Sodinokibi ransomware was executed via a batch file that also turned off the Windows Defender features.
    • Both malware variants used registry values, and the Qbot variant to maintain persistency
    • Qbot also attempted to contact a C2 server, which was most likely used to download the ransomware.

    Our team helped the customer by:

    • Providing indicators of compromise (IOCs) of the malicious files to implement across the organization’s security solutions.
    • Reverse-engineering malware samples and providing a full and comprehensive malware report, including explanations about all the malware’s capabilities and functionality.
    • Utilizing Varonis to investigate alerts and verify that no other indicators of compromise were missed.
    • Correlating the known parts of the attack to the events recorded in the Varonis Data Security Platform.

    Deep dive into Sodinokibi

    GandCrab, the predecessor of Sodinikibi (AKA REvil), was first spotted in the wild in 2018 as part of a Ransomware as a Service (RaaS) campaign. It quickly became the most widespread ransomware that year due to its highly active authors and variant release frequency. It was also the first ransomware to use the exotic crypto coin “DASH”, which was additional proof that the authors were attempting to utilize paths less familiar to malware analysts and law enforcement.

    The first iterations of GandCrab could be easily decrypted using a decrypter that was released when these versions were actively being used. This simple decryption was made possible due to the server containing all the private keys being compromised, and the keys were exfiltrated. During the same week, threat actors released an updated version of the ransomware, and the server was hardened against similar attacks. i

    The ransomware author’s persistence and perseverance did not end with GandCrab and its very noticeable in their work on Sodinokibi. When it first emerged, it mainly used SMB related vulnerabilities to exploit devices. It initially focused on Asian victims and later moved to Europe and North America. ii

    Case analysis – On April 2, 2021, a French electronics company confirmed in a statement that it was hit by Sodinokibi ransomware. The attackers’ ransom was $24 million in the form of Monero crypto coins. The attackers initially demanded half of the amount and doubled the sum after the company and the attackers did not reach an agreement. The attackers sent the company a sample of the leaked data as (in a 7-Zip archive) proof they were serious.

    The company claimed that no data was exfiltrated but did not disclose any information on whether the two parties had reached a deal. The negotiation is either still ongoing, or that the attackers decided to drop the case.  iii


    Case analysis – Apple

    On April 21, 2021, Sodinokibi attempted to extort the tech giant Apple. The Sodinokibi group was said to have attacked one of Apple’s business partners that manufactures their laptops.

    Bloomberg News reported the attack by Sodinokibi, which they describe as “their largest ever.” The authors of the Sodinokibi ransomware posted an update, originally in Russian, to a digital crime forum. According to the Tor page of the payment request, the ransom was $50 million and would double to $100 million if the sum was not paid by their specified time.

    This tactic pressures the victim to pay quickly. If victims fail to pay, attackers threaten to publish stolen data as leverage. This method renders backups and data copies ineffective since the data is not only encrypted but also exfiltrated.

    Sodinokibi then published — during an Apple event  —  blueprints of new Apple devices that were allegedly stolen during the attack and promised to release new data from the attack every day. iv

    Delivery and execution

    Different versions of Sodinokibi use different delivery methods. One of the more common methods is using phishing emails containing malicious links or files as an initial infection vector. When a victim accesses the links, a ZIP file is downloaded that contains an obfuscated JavaScript file. Once the victim executes the file, it will load a PowerShell script that attempts to perform UAC bypass and run the malware’s loader.

    The loader then decrypts the executable embedded in the memory of its process to inject it into an existing process. This executable contains the malware’s payload – the encryption of files found in the folders that the malware is configured to target. The configuration of the malware depends on the configuration file embedded in the executable. v

    Putting the malware under the magnifying glass

    The Varonis Forensics team analyzed a sample of Sodinokibi following a request from a customer. In this specific case, the malware was delivered in the form of a DLL. In the encryption phase, the malware used a session public/private key-pair for the encryption process. It also contains an encrypted configuration part, which determines which file extensions and which paths should or should not be encrypted.

    Every encrypted file has a string appended to its file name. This string is specific and unique to each victim device:

    The ransomware also drops a ransom note in each folder in which it encrypted files. The ransom note’s file name is made from the unique string, followed by “-readme.txt”:

    Varonis Detections

    Varonis’ threat detection products have several built-in threat models that can identify the malware variants mentioned during different stages of their activity:

    • Crypto activity detected”: detects the creation of ransom notes on a file server.
    • Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server without relying on known ransomware file names or extensions, enabling detection of new ransomware/data destroyer variants.
    • Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain by examining the amount of the information sent.
    • Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
    • Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
    • “Potential malicious file download was detected”: detects the download of a potentially malicious file.
    • “Potential malware infection: dropper identified”: detects the potential infection of the environment by a dropper malware, which can be used to download the next stages of malware.

    New Variants Analyzed in April


    Variant name Popularity Data-centric IOCs
    Dharma Ransomware 3 .Jessy
    Matrix ransomware 3 .JDPR
    Gopher Ransomware 1 .gopher
    STOP Djvu ransomware 3 .reig
    STOP Djvu ransomware 3 .tirp
    Dharma Ransomware 3 .biden
    Dharma Ransomware 3 .eofyd
    Dharma Ransomware 3 .pirat
    RunExeMemory Ransomware 1 .z8sj2c
    Xorist Ransomware 2 .sandboxtest
    Hakbit Ransomware 1 .PROM
    SFile Ransomware 1 .zuadr
    PewPew Ransomware 1 .optimus
    STOP Djvu ransomware 3 .enfp
    SFile Ransomware 1 .Technomous-zbtrqyd
    Dharma Ransomware 3 .bqd2
    Makop Ransomware 2 .pecunia
    STOP Ransomware 3 .ekvf
    HiddenTear Ransomware 3 .HANTA
    Henri IV Ransomware 1 Ransom extension:.malwarehenri

    Ransom note: #DECRYPT MY FILES#.html

    Bagli Ransomware 1 .bagli
    Cm99v Ransomware 1 Ransom extension:.cm99v

    Ransom note: HOW-TO-DECRYPT-cm99v.txt

    Hard Ransomware 1 .hard
    Barboza Ransomware 1 Ransom extension:.[]

    Ransom note: !_!WHERE-IS-MY-FILES!_!.rtf

    Pirat Ransomware 1 .pirat
    STOP Djvu Ransomware 3 .ytbn
    Dharma Ransomware 3 .4o4
    Dharma Ransomware 3 .ctpl
    WhiteBlackGroup Ransomware 1 .encrpt3d
    STOP Djvu Ransomware 3 .fdcz
    STOP Djvu Ransomware 3 .urnb
    Jormungand Ransomware 1 .glock
    Wintenzz Security Tool Ransomware 1 Ransom extension: .wintenzz

    Ransom note: BUY_WINTENZZ.txt

    VHD Ransomware 1 .beaf
    STOP Djvu Ransomware 3 .lmas
    GEHENNA Locker Ransomware 1 Ransom extension: .gehenna

    Ransom note: GEHENNA-README-WARNING.html

    Contact Ransomware 1 Ransom

    Ransom note: CONTACT-README-WARNING.html

    POLSAT Ransomware 1 .POLSAT

    Top Attack Vectors Observed in April 2021

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Get a free Risk Assessment

    You can't protect what you don't know is vulnerable.

    Give us 90-minutes of your time, and we'll create a Free Risk Assessment that will open your eyes to your unknown weak spots—fast, and without adding work to your plate.

    Start Your Risk Assessment