The cybercriminals behind the Sodinokibi ransomware use the RIG exploit pack to spread malware to target machines.
Attackers exploit bugs in browsers to covertly set payloads and block files. The initial infection occurs through advertising banners on blogs and online games. The ad leads the victim to a criminal resource that secretly tries to run a malicious script from the RIG arsenal on the computer.Cybercriminals operate through Flash vulnerabilities in browsers and, if they successfully exploited, send a payload to the device. The attack does not require user interaction.
As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished”, — reports Bleeping Computer magazine.
At the first stage, an obfuscated VBS script is delivered to the machine using malicious JavaScript, which acts as a loader and installer for Sodinokibi. The ransomware secretly encrypts files, after which it sets the desktop wallpaper and creates a text document with a ransom demand. The malware assigns a unique identifier to the infected device and adds it as an extension to all encoded objects.
Read also: Researchers Create Free Nemty Ransomware Decryptor
An information security specialist with the pseudonym mol69 spoke about the new attack vector on Twitter. According to the expert, the campaign is aimed at users from Southeast Asian countries.
This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries”, — said mol69.
A little later, the analyst said that attacks are also conducted through the Fallout exploit pack.
In September of this year, an independent researcher nicknamed Security Aura found that cybercriminals used overlays on hacked sites to distribute Sodinokibi. According to him, the attackers injected a script into the code of the vulnerable WordPress resource that displayed a frame with a fake Internet forum on top of the legitimate page, where one of the messages contained a malicious link. For more convincing messages, the branches were selected taking into account the subject of the infected site.
Recommendations:
Unfortunately, currently there is no free method of decrypting the Sodinokibi/REvil Ransomware. Users are advised to restore from backups if it is at all possible rather than paying the ransom.
Read also: IS researchers believe ‘REvil’ is GandCrab rebranding
As always, to protect yourself from exploit kits, users should always have the latest Windows updates installed, their programs update, and to upgrade any web applications that require Internet Explorer as the RIG exploit kit only targets this outdated browser.
User Review
( votes)( reviews)
Mine data was encrypted online 🙁
By peet ransomware what can I do?