Early Discovery & Structure
The Sangfor Security Team first detected this ransomware in early April 2019. It was identified as a variation of “DeepBlue,” a ransomware variant which uses a random encryption suffix and changes the background of the host desktop to navy blue after encryption, and also having inherited it’s code structure from GrandCrab.



During the initial phase of the ransomware activity, attackers launched attacks by exploiting vulnerabilities like Confluence (CVE-2019-3396), UAF (CVE-2018-4878) and Weblogic Deserialization (CVE-2019-2725). The attack process was complicated by a small target scope of vulnerability exploits. Its attacking techniques gradually evolved into a simpler and more efficient RDP brute-force attack.
The attack process is as follows. First, attackers use brute-force scanning and other techniques to obtain permissions from a weak host in the network. The then upload hack toolkits to perform brute-force scanning or password extraction, and select critical servers and PCs for encryption. The whole process can be described as “first breach one host and then take the entire network,” as shown below:




The outbreak of the Sodinokibi ransomware is mainly due to its industrialized operation, i.e., the virus is operated by a team. Each member has his own duties and are paid based on their individual performance. Once the virus is executed on a compromised host, it leaves a .txt ransom note with random name like xxx-readme.txt, as shown below:


The Sodinokibi ransom is high, ranging from 3 to 6 bitcoin. Its primary targets are large and middle-sized enterprises. Hackers aims to paralyze critical business networks forcing organizations to pay the ransom to recover their core business services.
Because the ransomware virus attack is industrialized, every participant can profit. As the Sangfor Security Team tracked this virus, they found that when victims transfer bitcoin to the attacker’s wallet, the bitcoin ransom is immediately transferred to another participants' wallet.
After the attack succeeds and ransom is paid, the ransom is transferred to four different electronic wallets in two different batches. These four wallets belong to the ransomware author, integrated platform provider, online customer service personnel and the hacker group respectively, as shown below:

A majority of the ransom obtained from every attack goes to the attacker and the event organizer. The former is an individual or penetration team who professionally attack enterprises and contribute the most to the security event. Any individual or team may join an attack, working like a sales team to gain considerable profits from every order. The organizer makes connections between different roles and all operations, thus receiving the greatest portion of the ransom.



Prevalence of this ransomware poses great risk to business systems. Sangfor has developed a complete solution from the perspective of vulnerability and response efficiency. As we know, weaknesses (vulnerabilities, weak passwords and open ports) in computers and servers are the root of and entry point for ransomware, though the organizations’ core servers are protected from brute-force attacks, weak passwords, etc. Ransomware is different from ordinary viruses, as it poses a short-term risk to enterprises and remediation must be professional, efficient and performed as quickly as possible to minimize impact.
The Sangfor Security Team Recommends:
1. Fix the vulnerability quickly by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and do not download any software from untrusted websites.
4. Disable unnecessary file sharing.
5. Strengthen your computer password and do not use the same passwords for multiple computers to avoid compromising a series of computers.
6. Disable RDP if it is unnecessary for your business. When computers are attacked, use Sangfor NGAF or EDR to block port 3389 and stop the virus from spreading.
7. Sangfor NGAF and EDR can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rules 11080051, 11080027 and 11080016. Turn on brute-force attack prevention on Sangfor EDR.
8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable AI-based Sangfor Engine Zero to achieve the most comprehensive protection.
9. Deploy Sangfor security products and connect to cloud-based Sangfor Neural-X to detect new threats.
10. Subscribe to the Sangfor Security Operations service to strengthen your existing security system and check security policies, threats, risks, relevant vulnerabilities and more, while subsequently updating policies to enhance security protection.
In the event of ransomware intrusion, you may reach us by any of the following means to gain consultancy and support services for free:
1) Call us at +60 12711 7129 (7511)
2) Follow Sangfor Tech Support public account on WeChat.
3) Visit Sangfor Community (http://community.sangfor.com) Live Chat.