Ransomware Alert: GandCrab Variant Sodinokibi Causing Blue Screen

09/05/2019 12:12:03

Just days ago, the Sangfor security team, acting on customer feedback, became aware that several customers networks had been intruded by a ransomware virus. Careful analysis revealed the newest variant of GrandCrab, since named Sodinokibi, was causing the blue screens reported by customers.

Sodinokibi ransomware is similar to GandCrab in code design and function. It employs anti-debugging and obfuscation techniques (in addition to continuous debugging), uses RSA and AES algorithms to encrypt files, adds random character strings to file name as an extension and, replaces wallpaper with a dark blue picture with a threatening title. Sodinokibi dorps a ransom note file that is appended, "encrypted extension-readme.txt" or "encrypted extension-HOW-TO-DECRYPT.txt."

At this early stage of its discovery, it is impossible to decrypt files encrypted by the virus. Customers in various industries including but not limited to government, healthcare and education, in several provinces have been affected and all must remain alert and vigilant for this virus.

Infection Analysis
The Sangfor security team discovered that the GandCrab variant, Sodinokibi employs a variety of infection methods. Sangfor has discovered the following intrusion means, but more vulnerabilities are expected to be found in the near future.
1. Exploit vulnerability (CVE-2019-3396) in Confluence
2. RDP brute-force
3. Exploit vulnerability in FCKeditor
4. Exploit WebLogic wls9-async deserialization remote code execution vulnerability

These particular attackers have been quite active recently, exploiting various potential vulnerabilities and spreading the virus, infecting a great number of endpoint devices. Sangfor also suspects they are developing new virus variants for release in the near future.

Virus Analysis
1. The virus sample vector uses various encryption techniques. By decrypting it, we discovered the first-layer payload code and then the core code of the ransom virus’s payload, as shown below:
2. Sodinokibi the escalates process privilege.

3. Ransom notes are decrypted from memory and a random file name is generated in the following format: randomly-chosen digit strings appended with "-readme.txt," as shown below:
4. It traverses processes and terminates mysql.exe processes.

5. Corresponding commands are executed through cmd.exe to delete the disk volume shadow, as shown below:
6. Sodinokibi traverses disk directories and shared file directories to traverse disk files, and encrypts them with RSA and AES algorithms, as shown below:
7. A ransom note is generated as an image and changes the desktop background to the image.

8. A domain is selected from decrypted domains for URL connection, sending data to the connected URL.

Currently, there is no decryption tool available for victims. You must simply isolate infected hosts and disconnect them from network. Sangfor recommends you to perform a virus scan and removal as soon as possible.

Detection and Removal
Sangfor offers customers and users a free anti-malware software to scan for and remove the ransom virus. Simply download it from: http://go.sangfor.com/anti-bot-tool-20181029


The Sangfor security team recommends that you take special care to protect devices from infection, as no file decryption methods have been developed as of yet.

1. Fix the vulnerability as quickly as possible by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Update Confluence (if any) to any of the following versions:

Confluence 6.6.12 or later
Confluence 6.12.3 or later
Confluence 6.13.3 or later
Confluence 6.13.3 or later
Confluence 6.14.2 or later
Update widgetconnector-3.1.3.jar to widgetconnector-3.1.4.jar

4. To fix vulnerabilities in WebLogic, refer to our threat intelligence on WebLogic wls-async Deserialization Remote Execution Vulnerability.
5. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable AI-based Sangfor Engine Zero to achieve the best protection.
6. Deploy Sangfor security products and connect to cloud-based Sangfor Neural-X to detect new threats.
7. Finally, Sangfor recommends performing a security scan and virus removal on the whole network to enhance network security. We recommend Sangfor NGAF to detect, prevent and protect your internal network against threats.

Our Social Networks

Global Service Center: