News

Attackers spread Sodinokibi ransomware on behalf of German intelligence service

Attackers distribute Sodinokibi ransomware (also known as REvil and Sodin) by email, posing as employees of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Using the “Warning about compromised user data” message (“Warnmeldung kompromittierter Benutzerdaten”) as the subject, attackers urge their victims to open an attachment with a malicious PDF document, says the BSI message.

Spam email (English):

Subject: Warning message of compromised user data – Federal Office for Information Security
Content: Dear Sirs and Madames,
The European Cybersecurity Act entered into force on 27 June 2019. Since then, the Federal Office for Information Security has been obliged to inform you about possible misuse of your data.
On July 14, 2019, several vulnerabilities were found on high-traffic websites, which led to the loss of personal information. After careful analysis of the datasets available to us, we can say that your data is part of this dataset, so we advise you to immediately change compromised passwords.

After the document opened on the system, the hta file is launched using the legitimate utility mshta.exe, then the Sodinokibi extortionate software is loaded onto the system.

By infecting the system, the malware removes shadow copies of the files and disables recovery on Windows startup. Then Sodinokibi encrypts files on the system and for their restoration requires $2500 in Bitcoin, after a specified period the amount rises to $5000.

The malware will also create ransom notes named using the [extension]-HOW-TO-DECRYPT.txt format for all scanned folders, with the ransom notes also featuring unique keys and links to the payment site.

When the victims visit the payment sites supplied by the attackers, they will have to enter their unique extension and key to get to the ransom request page.

Earlier it was reported about attacks in which Sodinokibi operators hacked managed service providers through Webroot SecureAnywhere and infected their clients’ systems with extortionate software.

In June, Oracle fixed the deserialization vulnerability in WebLogic Server, which was previously used to distribute the extortionate Sodinokibi software and cryptocurrency miners.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Kabatibly.co.in Pop-up Ads

About Kabatibly.co.in Kabatibly.co.in pop-ups can not introduce out of nowhere. If you have clicked some…

17 hours ago

Remove Reditarcet.co.in Pop-up Ads

About Reditarcet.co.in Reditarcet.co.in pop-ups can not introduce out of the blue. If you have clicked…

17 hours ago

Remove Everestpeak.top Pop-up Ads

About Everestpeak.top Everestpeak.top pop-ups can not open out of the blue. If you have actually…

21 hours ago

Remove Firm-jawed.yachts Pop-up Ads

About Firm-jawed.yachts Firm-jawed.yachts pop-ups can not launch out of nowhere. If you have clicked some…

21 hours ago

Remove Anapurnatop.top Pop-up Ads

About Anapurnatop.top Anapurnatop.top pop-ups can not expose out of nowhere. If you have clicked on…

21 hours ago

Remove Boomira.com Pop-up Ads

About Boomira.com Boomira.com pop-ups can not open out of nowhere. If you have clicked on…

22 hours ago