Sodinokibi ransomware claims numerous victims worldwide
Tesorion and SIDN Labs investigate the spread of Sodinokibi
Just a few months after emerging, Sodinokibi ransomware is spreading rapidly. It was first used in targeted attacks, as described by Cisco Talos. Now, however, it is being distributed more indiscriminately using spam. One widely circulated message carrying Sodinokibi was encountered by researchers from Tesorion earlier this month. Following the discovery, SIDN Labs and Tesorion decided to make a joint analysis of DNS data in order to gauge the global prevalence of Sodinokibi infections. In the wake of that initiative, this blog post describes how Sodinokibi is now typically distributed by e-mail, and presents the results of our research into the global prevalence picture.
Sodinokibi distributed using spam
At the start of July, an e-mail was submitted to Tesorion's researchers for analysis. At first sight, the message looked legitimate enough: it was a job application from someone called Beatrix, apparently in response to an ad on 'werksite.nl'. Beatrix wrote that her CV and covering letter were attached. So a reader won't have been surprised to see a ZIP file with the message: the file name was plausible and lots of senders zip multiple attachments. When unzipped, however, there was just a single EXE file purporting to contain Beatrix's CV. In fact, the EXE launched the Sodinokibi ransomware, immediately infecting the recipient's system and encrypting the data. A lot of thought had clearly gone into the e-mail. It was written in the style of a genuine application, with very few tell-tale mistakes, and it referred to the popular Dutch jobs website werksite.nl. It was also sent from an address that matched the signatory's name, within a domain very like the one used by a big Dutch ISP. What's more, the 'From' domain passed the DKIM verification test, to prevent it getting bounced before delivery. If a copy of the message found its way to, say, an overworked HR officer, it's easy to see how they might have opened the 'CV', activating Sodinokibi and loosing the ransomware to infect the company's network. Like previously encountered versions of Sodinokibi, the variant attached to the investigated mail tries to contact a long list of servers. The remainder of this blog post explains how we used details of those servers to map the global spread of Sodinokibi infections.
Use of legitimate domains
Sodinokibi tries to make contact with a large number of servers. The list of servers is pre-configured in the malware, and consequently distinctive to the particular version. The same data is sent to each server at a randomly generated URL (see also Tesorion's previous analysis). The data relayed back by the malware includes information about the infected system. Previous analysis by Tesorion showed that the malware doesn't do anything with any response it may receive from the server where the data is sent. We believe that the malware sends the information in order to give the crooks feedback regarding the number of infections and therefore the success of their campaign. Strikingly, most of the servers involved are linked to legitimate-looking domains. It seems likely that the perpetrators are able to receive the feedback data at one or more of the numerous listed domains. However, identification of the servers controlled by the crooks is difficult, because of the large number of legitimate, but relatively obscure domains on the list. And it isn't possible to treat each individual server on the list as an indicator of compromise. Sometimes, malware uses legitimate domains that have been hacked. A command-and-control server is established at a particular URL within a hacked domain, which otherwise continues to operate normally. However, because Sodinokibi generates random URLs, we feel it's unlikely that the legitimate domains it contacts have all been hacked. It's more plausible that they are listed to complicate the task of identifying the real C&C server.
Global infection picture
Because the malware tries to contact so many domains, most of them probably legitimate, a Sodinokibi infection generates a large number of DNS requests. Furthermore, the particular combination of domains used in Sodinokibi configurations is very unlikely to be observed in normal traffic from non-infected systems. Any given variant of the ransomware will contact numerous domains under a variety of ccTLDs, such as .de, .nl, .uk, .es, .ru and .br. The wide variety of domains and TLDs used makes it harder to tell which domains are actually controlled by the crooks, and which are approached simply as a diversion. On the other hand, each TLD's administrator, e.g. SIDN for the .nl domain, is in a position to observe global use of the domains within that TLD. Because the domains approached by a lot of Sodinokibi variants include numerous .nl domains, we decided to investigate whether the associated traffic data could be used to build up a global picture of possible infections involving the variants in question. That involved scanning sampled, anonymised logs from the .nl name servers for requests relating to the particular .nl domains associated with Sodinokibi. For privacy reasons, the IP addresses of the resolvers making the requests were removed from the dataset, while the associated countries and AS numbers (which identify the network owners) were retained. The aim of the exercise was to get a general impression of Sodinokibi's global distribution; we were not trying to identify infected systems individually, or even to precisely quantify them. The anonymised dataset would not have lent itself to that purpose. The first step of the investigation was to clean up the data, since certain resolvers regularly query large numbers of domains, including the .nl domains associated with Sodinokibi. That's the case with the resolvers used by web crawlers and major e-mail services, for example. Those servers were removed from the dataset. By looking at resolvers that query a relatively large number of .nl domains that have no obvious connection but match the Sodinokibi contact list, we can build a picture of the resolvers used by systems that appear to have Sodinokibi infections. From late April -- just about when Sodinokibi ransomware was first encountered in the wild -- a sharp rise in the prevalence of such resolvers shows up in the dataset. Our results are based on two assumptions. First, that most systems use their own network's resolver. Thus, a resolver's network and country should correspond to the network and country of the actual infection. Second, that an infected system queries all the 'Sodinokibi domains' on the same day; therefore, requests made on different days are generated by different infections. The single-day query pattern was observed with all variants analysed by Tesorion. We acknowledge that those assumptions won't be valid in all cases, but they should have sufficient general validity to support broad-brush analysis. By grouping resolvers by network (AS number), we avoid the problem of multiple resolvers selected on a round-robin basis by an infected system incorrectly being thought to represent multiple infections. If we then count the number of the unique AS numbers per day, we can build a reasonable picture of the countries and networks hit by Sodinokibi. In order to give an impression of the prevalence of infected networks in different countries, we have produced a graph showing the number of distinct AS numbers per country. South Korea emerges as one of the top ten infection hotspots, providing a further hint that GandCrab and Sodinokibi may be related, since Krebs reported a GandCrab spam campaign aimed at the country.
An infected system looks up all the hosts at the same time. Therefore, if an AS number is associated with infections on multiple days, there will be a peak in the number of Sodinokibi host names queried on each of the days in question. By counting the number of days that each AS number has an infection and then calculating national aggregates, we can obtain a picture of the ransomware's global distribution. That was done for both May and June, and the results are shown on the two maps below. One obvious feature of the findings is that Sodinokibi's prevalence increased over time.
In recent months, numerous organisations around the world have been hit by Sodinokibi infections. The ransomware is both spread manually within organisations, and directly distributed with spam in the hope that a certain percentage of recipients will fail to recognise the danger. The spam mail analysed by Tesorion was good quality: considerable trouble had clearly been taken to make the messages look as legitimate as possible. Sodinokibi's use of numerous apparently legitimate domains enables us to get an impression of the global distribution of infections. Because of the way the DNS works, SIDN's unique position as administrator of the .nl domain enables it to observe which networks around the world are contacting particular .nl domains. By combining SIDN's traffic data with Tesorion's insight into the domains associated with Sodinokibi, the two organisations have been able to map the distribution of Sodinokibi infections across countries and networks. The resulting insight can be used to help protect our users and keep the .nl domain free of abuse.
Many families of ransomware take advantage of vulnerabilities in software to get themselves installed on victims' computers. It is therefore very important to keep your operating system and software up to date. You can also use spam filters, firewalls and endpoint protection to minimise your risk exposure. However, such applications cannot keep everything out. It's therefore important that your staff understand the dangers of clicking on links and opening attachments to spam messages. Making regular backups is another important form of defence. Having a backup means that you can reinstate unencrypted data if your system does get hit.