Attackers spread Sodinokibi ransomware on behalf of German intelligence service

Attackers distribute Sodinokibi ransomware (also known as REvil and Sodin) by email, posing as employees of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Using the “Warning about compromised user data” message (“Warnmeldung kompromittierter Benutzerdaten”) as the subject, attackers urge their victims to open an attachment with a malicious PDF document, says the BSI message.

Spam email (English):

Subject: Warning message of compromised user data – Federal Office for Information Security
Content: Dear Sirs and Madames,
The European Cybersecurity Act entered into force on 27 June 2019. Since then, the Federal Office for Information Security has been obliged to inform you about possible misuse of your data.
On July 14, 2019, several vulnerabilities were found on high-traffic websites, which led to the loss of personal information. After careful analysis of the datasets available to us, we can say that your data is part of this dataset, so we advise you to immediately change compromised passwords.

After the document opened on the system, the hta file is launched using the legitimate utility mshta.exe, then the Sodinokibi extortionate software is loaded onto the system.

By infecting the system, the malware removes shadow copies of the files and disables recovery on Windows startup. Then Sodinokibi encrypts files on the system and for their restoration requires $2500 in Bitcoin, after a specified period the amount rises to $5000.

The malware will also create ransom notes named using the [extension]-HOW-TO-DECRYPT.txt format for all scanned folders, with the ransom notes also featuring unique keys and links to the payment site.

When the victims visit the payment sites supplied by the attackers, they will have to enter their unique extension and key to get to the ransom request page.

Earlier it was reported about attacks in which Sodinokibi operators hacked managed service providers through Webroot SecureAnywhere and infected their clients’ systems with extortionate software.

In June, Oracle fixed the deserialization vulnerability in WebLogic Server, which was previously used to distribute the extortionate Sodinokibi software and cryptocurrency miners.