This report is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.
Success Story of the Month
One of our customers, a large manufacturing company, experienced a malware and ransomware infection and their key admin accounts were compromised.
The manufacturer called the Varonis Forensics Team to investigate the infected machines, find the infected files, and help build a timeline of the malicious activity.
The Forensics Team exported the event log and master file table (MFT) from the infected devices and found several suspicious files.
The suspicious files contained malicious functionality and malware samples:
- Variants of Qbot and Sodinokibi.
- The payload for both malware variants came in the form of DLL files, which require specific parameters to execute.
- The Sodinokibi ransomware was executed via a batch file that also turned off the Windows Defender features.
- Both malware variants used registry values, and the Qbot variant to maintain persistency
- Qbot also attempted to contact a C2 server, which was most likely used to download the ransomware.
Our team helped the customer by:
- Providing indicators of compromise (IOCs) of the malicious files to implement across the organization’s security solutions.
- Reverse-engineering malware samples and providing a full and comprehensive malware report, including explanations about all the malware’s capabilities and functionality.
- Utilizing Varonis to investigate alerts and verify that no other indicators of compromise were missed.
- Correlating the known parts of the attack to the events recorded in the Varonis Data Security Platform.
Deep dive into Sodinokibi
GandCrab, the predecessor of Sodinikibi (AKA REvil), was first spotted in the wild in 2018 as part of a Ransomware as a Service (RaaS) campaign. It quickly became the most widespread ransomware that year due to its highly active authors and variant release frequency. It was also the first ransomware to use the exotic crypto coin “DASH”, which was additional proof that the authors were attempting to utilize paths less familiar to malware analysts and law enforcement.
The first iterations of GandCrab could be easily decrypted using a decrypter that was released when these versions were actively being used. This simple decryption was made possible due to the server containing all the private keys being compromised, and the keys were exfiltrated. During the same week, threat actors released an updated version of the ransomware, and the server was hardened against similar attacks. i
The ransomware author’s persistence and perseverance did not end with GandCrab and its very noticeable in their work on Sodinokibi. When it first emerged, it mainly used SMB related vulnerabilities to exploit devices. It initially focused on Asian victims and later moved to Europe and North America. ii
Case analysis – On April 2, 2021, a French electronics company confirmed in a statement that it was hit by Sodinokibi ransomware. The attackers’ ransom was $24 million in the form of Monero crypto coins. The attackers initially demanded half of the amount and doubled the sum after the company and the attackers did not reach an agreement. The attackers sent the company a sample of the leaked data as (in a 7-Zip archive) proof they were serious.
The company claimed that no data was exfiltrated but did not disclose any information on whether the two parties had reached a deal. The negotiation is either still ongoing, or that the attackers decided to drop the case. iii
Case analysis – Apple
On April 21, 2021, Sodinokibi attempted to extort the tech giant Apple. The Sodinokibi group was said to have attacked one of Apple’s business partners that manufactures their laptops.
Bloomberg News reported the attack by Sodinokibi, which they describe as “their largest ever.” The authors of the Sodinokibi ransomware posted an update, originally in Russian, to a digital crime forum. According to the Tor page of the payment request, the ransom was $50 million and would double to $100 million if the sum was not paid by their specified time.
This tactic pressures the victim to pay quickly. If victims fail to pay, attackers threaten to publish stolen data as leverage. This method renders backups and data copies ineffective since the data is not only encrypted but also exfiltrated.
Sodinokibi then published — during an Apple event — blueprints of new Apple devices that were allegedly stolen during the attack and promised to release new data from the attack every day. iv
Delivery and execution
The loader then decrypts the executable embedded in the memory of its process to inject it into an existing process. This executable contains the malware’s payload – the encryption of files found in the folders that the malware is configured to target. The configuration of the malware depends on the configuration file embedded in the executable. v
Putting the malware under the magnifying glass
The Varonis Forensics team analyzed a sample of Sodinokibi following a request from a customer. In this specific case, the malware was delivered in the form of a DLL. In the encryption phase, the malware used a session public/private key-pair for the encryption process. It also contains an encrypted configuration part, which determines which file extensions and which paths should or should not be encrypted.
Every encrypted file has a string appended to its file name. This string is specific and unique to each victim device:
The ransomware also drops a ransom note in each folder in which it encrypted files. The ransom note’s file name is made from the unique string, followed by “-readme.txt”:
Varonis’ threat detection products have several built-in threat models that can identify the malware variants mentioned during different stages of their activity:
- “Crypto activity detected”: detects the creation of ransom notes on a file server.
- “Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server without relying on known ransomware file names or extensions, enabling detection of new ransomware/data destroyer variants.
- “Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain by examining the amount of the information sent.
- “Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
- “Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
- “Potential malicious file download was detected”: detects the download of a potentially malicious file.
- “Potential malware infection: dropper identified”: detects the potential infection of the environment by a dropper malware, which can be used to download the next stages of malware.
New Variants Analyzed in April
|Variant name||Popularity||Data-centric IOCs|
|STOP Djvu ransomware||3||.reig|
|STOP Djvu ransomware||3||.tirp|
|STOP Djvu ransomware||3||.enfp|
|Henri IV Ransomware||1||Ransom extension:.malwarehenri
Ransom note: #DECRYPT MY FILES#.html
|Cm99v Ransomware||1||Ransom extension:.cm99v
Ransom note: HOW-TO-DECRYPT-cm99v.txt
|Barboza Ransomware||1||Ransom extension:.[firstname.lastname@example.org]
Ransom note: !_!WHERE-IS-MY-FILES!_!.rtf
|STOP Djvu Ransomware||3||.ytbn|
|STOP Djvu Ransomware||3||.fdcz|
|STOP Djvu Ransomware||3||.urnb|
|Wintenzz Security Tool Ransomware||1||Ransom extension: .wintenzz
Ransom note: BUY_WINTENZZ.txt
|STOP Djvu Ransomware||3||.lmas|
|GEHENNA Locker Ransomware||1||Ransom extension: .gehenna
Ransom note: GEHENNA-README-WARNING.html
|Contact Ransomware||1||Ransom extension:.contact
Ransom note: CONTACT-README-WARNING.html