Fidelis Cybersecurity
Fidelis Blog

Aamil Karimi
Sr. Intelligence Analyst, Threat Research Team

Aamil Karimi is a former US Army All-Source intelligence analyst and spent over 6 years in Afghanistan working with the US Army, Air Force Office of Special Investigations, and supporting USSOCOM as an... Read More


Ransomware Strains in a Post-GandCrab Environment

... Read More


Ransomware Strains in a Post-GandCrab Environment

In June 2019, GandCrab ceased operations and support for their namesake ransomware strain that had become one of the most prolific ransomware families over the last year and a half up until that time. Since then, research and reports on strains of multiple new ransomware campaigns have emerged. Recently, a few of these have generated more interest over the rest, whether it be a result of high-profile incidents or an increase in adaption and use through popular malware campaigns and kits within a relatively short amount of time. These include Sodinokibi, Eris, and Robbinhood.

Research suggests that Sodinokibi may possibly be associated to GandCrab since its initial discovery in April 2019 and was reported to have effected multiple government agencies in Texas this past week. Eris has recently gained interest from multiple commodity malware kits including the RIG and Lord Exploit Kits (EKs), and Robbinhood has also been behind the cause of multiple ransomware attacks against local and municipal governments over the past few months.

Key Judgments:

  • Sodinokibi’s popularity possibly tied to its suspected relationship with GandCrab
  • Uncommon strains like Robbinhood and Eris can still cause significant disruptions and continue to be perpetuated by popular commodity malware and exploit kits
  • Phishing emails remains the most popular attack vector; however, the targeting of certain vulnerabilities in software and services like Oracle WebLogic requires minimal or no user (victim) interaction.
  • Older vulnerabilities in widely implemented software and services will continue to be preferred method of targeting and exploitation

Sodinokibi aka: REvil
The Sodinokibi Ransomware, also dubbed “REvil” was first identified and reported on in April 2019. Since the initial report, other research has suggested multiple similarities between Sodinokibi and GandCrab; with Sodinokibi becoming increasingly popular despite its brief overlap with its suspected predecessor. In the second quarter of 2019, Sodinokibi was one of the most popular strains of ransomware observed by researchers, accounting for 12.5% of the ransomware market share. That compares to 23.9% for Ryuk, 17.0% for Phobos, and 13.6% for Dharma. More interestingly during this period, and what may further support Sodinokibi’s tie to the developers of GandCrab, is that it actually eclipsed GandCrab’s 10.2% marketshare (granted, GandCrab operations were likely slowing down as it finally ceased operations and support in late June).

Sodinokibi Ransomware was initially observed to infect victim system after exploitation of a then-zero day vulnerability in Oracle WebLogic, CVE-2019-2725, which is unique compared to most generic ransomware strains in that exploitation of this server vulnerability did not require any user interaction, as is common via phishing emails. More recently as of June 2019, Sodinokibi was observed being delivered by the RIG Exploit Kit via an older Microsoft Win32k vulnerability, CVE-2018-8453. RIG Exploit Kit is one of the more popular malware artifacts since exploit kits have made a recent resurgence, and inclusion or adaptation of a malware by an exploit kit as prominent as RIG could mean more Sodinokibi campaigns or attacks. This was evident when it was reported on 19 August that the ransomware attack that impacted multiple Texas state government agencies over the past weekend was the result of Sodinokibi.

Eris Ransomware is a lesser known strain gaining popularity with other commodity malware. On 29 June 2019, a user on the Russian-language forum, Eris, posted a thread advertising the capabilities of a new ransomware of the same name. Between 29 June and 5 July, Eris added multiple posts regarding the capabilities of the Eris Ransomware and opportunities for tutorials and an affiliate program. However, security researchers observed the Eris Ransomware in the wild since May 2019.

In early July 2019, Eris was observed being delivered by the popular RIG Exploit Kit. Between July and August 2019, Eris was also reported to be dropped by the Azera drive-by malware and Lord Exploit Kit after exploiting the Adobe Flash use-after-free (UAF) vulnerability, CVE-2018-15982.

The Robbinhood Ransomware is another strain that is infrequently seen compared to other popular branded variants; however, its lack in prevalence is made up for its notoriety for being responsible in high-profile incidents in Greenville, NC in April and then Baltimore, MD in May 2019. Robbinhood impacted multiple local government systems in both incidents resulting in a disruption of vital municipal services for several weeks.

Although the initial intrusion vector is still in question, it is believed Robbinhood may infect victims via remote-desktop protocol (RDP) or downloaded via other malware. Robbinhood will continue to be a strain of ransomware to be wary of, especially for the public sector.

Commonalities Across Ransomware Families
During our research we’ve observed that multiple ransomware families, both generic and “branded”, often have similar processes and behaviors that execute on infected hosts. Although there are several differences that allow researchers to attribute certain ransomware strains to specific families or brands, recognizing commonalities could potentially provide security teams a way to counter multiple variants and campaigns without having to keep up with new indicators. Common processes and behaviors observed across multiple ransomware strains include the following:

  1. Creates a Ransomware Instruction file on desktop: *readme.txt (MITRE: T1105 Remote File Copy)
  2. Spawns cmd and stops Windows services and AV software: cmd.exe /c sc.exe stop AVP /y (or stop*/y) (MITRE: T1059 Command-Line Interface, T1089 Disabling Security Tools)
  3. Spawns cmd and Deletes Shadow Copies: vssadmin.exe Delete Shadows /All /Quiet (note: “Delete Shadows” may also be substituted with “shadowcopy delete”) (MITRE: T1059 Command-Line Interface, T1490 Inhibit System Recovery)
  4. Spawns cmd and Disables Recovery: Bcdedit.exe /set {default} recoveryenabled no (MITRE: T1059 Command-Line Interface, T1490 Inhibit System Recovery)
  5. Spawns cmd and Disables Recovery: Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (MITRE: T1059 Command-Line Interface, T1490 Inhibit System Recovery)

Aside from standard vulnerability management and patching, detection and prevention of malware and threat activity based off heuristic patterns or emerging technologies, such as deception technology may also prove to support proper defense.

Old is Still New
As we discussed in our previous blog, Fidelis’ Threat Research Team assesses that commodity malware and threat actors will continue to exploit older vulnerabilities in common and high-value software and services like Internet Explorer, Oracle WebLogic, and Adobe Shockwave/Flash. In addition to exploit kits, multiple open-source and commercial tools available for penetration testing and research purposes are frequently leveraged to target systems and networks that may be running out-of-date and vulnerable software and programs. This tactic is likely to persist, and organizations are encouraged to ensure that the latest versions of programs are installed, or to simply avoid using and disabling certain software and services where possible.

Fidelis Threat Research Team Assessment
Most Dangerous Course of Action: Exploitation of new vulnerabilities in remote network services could exasperate a ransomware infection in the same manner as a WannaCry or NotPetya type incident. A shift in tactics by multiple well-resourced groups, such as a nation-state or organized criminal advanced persistent threat (APT) actor, from espionage and data siphoning to destruction leveraging ransomware could result in high-impact disruptions to organizations and services in sensitive business verticals including financial, utilities/infrastructure, and defense.

Most Likely Course of Action: New and existing ransomware strains will continue to be frequently leveraged by popular exploit kits and delivered by exploiting older, previously disclosed vulnerabilities. As certain popular software are phased out or decline in popularity and market share, such as Adobe Flash and Internet Explorer, exploit kits and drive-by campaigns may evolve to adapt to these changes in order to deliver ransomware and other payloads; however, attempts against vulnerabilities in these software and services will continue to persist as threat actors often find success by targeting outdated versions of ubiquitous programs.


Stay up to date on all things security

Subscribe to the Threat Geek Blog