Team

now browsing by tag

 
 

Sodinokibi Ransomware Builds An All-Star Team of Affiliates

Source: National Cyber Security – Produced By Gregory Evans

Sodinokibi

The Sodinokibi Ransomware (REvil) has been making news lately as they target the enterprise, MSPs, and government entities through their hand-picked team of all-star affiliates. These affiliates appear to have had a prior history with the GandCrab RaaS and use similar distribution methods.

It should be noted that we will refer to this ransomware infection as Sodinokibi as that is what it is most commonly known as to the general public and victims. This ransomware also goes under the name REvil, which is the actual name given by the malware developers.

Since being discovered in late April exploiting vulnerable WebLogic servers, Sodinokibi has seen wide success being distributed worldwide through exploit kits, phishing campaigns, remote desktop attacks, and large scale attacks through hacked MSP.

Victim Heatmap
Victim Heatmap (Source: McAfee)

In two new reports from McAfee, the Sodinokibi Ransomware has been analyzed to bring us information about code similarities between this ransomware and GandCrab. The affiliates of both RaaS operations have also been analyzed to bring us similarities seen between the two and how many of affiliates switched Sodinokibi as GandCrab began shutting down.

The GandCrab RaaS

Before we get into the Sodinokibi RaaS, it is important to discuss how the GandCrab RaaS operated.

One thing that was well known about the GandCrab Ransomware-as-a-Service is that they put together a team of some of the best affiliates out there.

These affiliates showed a wide range of experience in the distribution of malware and advanced technical knowledge regarding MSP software that allowed them to achieve high volumes of victims by attacking a single organization.

For those not familiar with the term RaaS, it is when a ransomware developer allows “affiliates” to distribute their ransomware in exchange for a portion of the ransom payment. Typically, the affiliates would earn the lion’s share of the payment and the developer would take a lower portion, between 30-40%, as their payment for managing the ransomware and the payment system.

Those affiliates who performed the best, would earn higher levels of commission.

RaaS Explainer
RaaS Explainer (Source: McAfee)

In new research by McAfee’s John Fokker, Head of Cyber Investigations, and Christiaan Beek, lead scientist & sr. principal engineer, we take a deep dive in how the GandCrab RaaS operated and some of its more high profile affiliates.

With the GandCrab RaaS, each affiliate was assigned an ID that was embedded in the ransomware executables that they distributed. It was also possible for affiliates to generate SubIDs that they could tag an executable as with.

It is not known what these SubIDs were used for, but could have been for a major affiliate to assign distribution work to one of their partners or simply to track the success of different distribution campaigns.

By analyzing hundreds of samples of GandCrab, the researchers told BleepingComputer that there were approximately 292 affiliates registered with the RaaS, with not all of them necessarily being active.

Partial list of GandCrab affiliates
Partial list of GandCrab affiliates (Source: McAfee)

Of these, McAfee stated that the affiliate with ID 99 was by far the most active, with affiliate IDs 15, 41, and 170 being the next most active.

Affiliate ID 99
Affiliate ID 99

Unfortunately, it not currently known what IDs are associated with particular types of attacks at this time, but Fokker told BleepingComputer that they are looking into this.

Sodinokibi builds an all-star affiliate team

A month before Sodinokibi became active, McAfee noted that the high profile affiliates suddenly went missing from GandCrab’s final 5.2 build.

Soon after, a relatively new unnamed RaaS was being marketed on online hacker forums such as Exploit.in where a member named UNKN was recruiting affiliates. This was a selective recruitment process and only a small amount of highly vetted applicants would be selected.

Forum post about new RaaS
Forum post about new RaaS

One of the people who replied to the topic and vouched for the RaaS was a member named Lalartu, who stated they were previously a GandCrab affiliate.

Soon after, Sodinokibi exploded with ransomware distribution that was very similar to the high profile attacks BleepingComputer saw with GandCrab.

BleepingComputer believes that GandCrab informed their top affiliates that they would soon be shutting down and either transferred them to Sodinokibi or the affiliates just decided to move to the new RaaS.

When analyzing Sodinokibi samples, the McAfee researchers also noted that Sodinokibi also used affiliate IDs and SubIDs in the same way as GandCrab. 

Sodinokibi Config
Sodinokibi Config (Source: McAfee)

This allowed them to extract the IDs from samples to find the most active affilaites and see if they could compare them to the GandCrab affiliates. Based on their analysis, Fokker told BleepingComputer that there are currently 41 known affiliate IDs, with the most active being affiliate 19, followed by 33 and 20.

When comparing the activity of affiliate 19 compared to GandCrab affiliate 99, the chart showed a very similar pattern of SubIDs and distributed samples.  In the image below, the GandCrab affiliate 99 is shown on the left and the Sodinokibi affiliate 19 is shown on the right.

Comparison of GandCrab and Sodinokibi Affiliates
Comparison of GandCrab and Sodinokibi Affiliates

While the above does not indicate that they are definitely the same affiliate, their usage patterns do appear very similar.

With a business model, and this is definitely a business, that focuses on affiliates performing the distribution of the ransomware, McAfee notes that it is important for law enforcement to not only take down the ransomware, but also the affiliates.

By disrupting the distribution, the RaaS model simply falls apart.

“Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, and it is run like a normal business, we (the security industry) should not only research the products the criminals develop, but also identify possible ways to successfully disrupt the criminal business.”

Similarities in code

In addition to the many similarities between the affiliates of Sodinokibi and GandCrab, there are also similarities within the code itself.

Last week we reported that researchers at SecureWorks identified shared code between the two ransomware and McAfee has come to the same conclusion.

According to the McAfee Advanced Threat Research, when comparing an unpacked Sodinokibi sample with GandCrab v 5.0.3, the researchers determined that there was a 40% code overlap between the two infections. Most of this similar code appears to be within the functions as shown below.

Code similarity between  Sodinokibi and GandCrab 5.0.3
Code similarity between  Sodinokibi and GandCrab 5.0.3 (Source: McAfee)

This is further illustrated by the very similar graph view of the two infections as seen below. Without even looking at the functions, you can see that the flow and logic of both programs are very similar, if not almost identical.

Graph view of both Sodinokibi and GandCrab 5.0.3
Graph view of both Sodinokibi and GandCrab 5.0.3 (Source: McAfee)

When Sodinokibi and REvil connects back to the ransomware’s command and control server, it will do so through a randomized URL that is generated at runtime. As previously found by Tesorion’s earlier analysis, McAfee also found that the URLs generated between the two families is almost identical.

Random URL Generation Comparison
Random URL Generation Comparison (Source: McAfee)

As you can see from the above image, the URL generation is almost identical other than a few varied strings used to generate the URL.

Is Sodinokibi the new GandCrab?

Whether or not Sodinokibi/REvil is the next version of GandCrab is really hard to say.

On one hand we have code similarities that are very hard to ignore and affiliates who were historically part of the GandCrab RaaS and using the same distribution tactics.

On the other hand, the operator’s personality is completely different between the two ransomware families.

With GandCrab, the operators were very open and public with their communications, joked with the research community, and generally had a good time running their operation.

The Sodinokibi operators, on the other hand, are quiet, secretive, and almost reclusive in how the RaaS functions.

While personalities can change, the stark contrast between the two makes BleepingComputer believe that Sodinokibi is being operated by the programmers of GandCrab, while the original operators have since retired or moved on to new things.

This would explain the code similarities, yet the different and more secretive nature of the Sodinokibi/REvil RaaS.

Source link

The post Sodinokibi Ransomware Builds An All-Star Team of Affiliates appeared first on National Cyber Security.

View full post on National Cyber Security

New #Book Reveals How #Obama Team #Plotted #Cyberattacks Against #Russia in #2016

Source: National Cyber Security News

On March 13, a book titled “Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump” will hit the shelves. Written by Michael Isikoff and David Corn, the book specifically focuses on Russia’s alleged interference in the 2016 US presidential elections.

In the summer of 2016, the Obama team prepared a plan for a large-scale cyber-operation against the Russian media, the country’s most influential businessmen and President Vladimir Putin personally, according to former White House cybersecurity coordinator Michael Daniel.

His remarks are included in “Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump,” a book by Michael Isikoff’s and David Corn’s which is due to go on sale on March 13. Excerpts were released by Yahoo News earlier this week.

Daniel explained that the cyber-offensive against Moscow was co-authored by Celeste Wallander, the US National Security Council’s former chief Russia expert.

The plan stipulated that the National Security Agency (NSA) would conduct a number of cyberattacks to neutralize Russian websites and the Guccifer 2.0 hacker, who compromised the emails of the campaign headquarters of former Secretary of State Hillary Clinton and the Democratic Party’s National Committee.

Read More….

advertisement:

View full post on National Cyber Security Ventures

CodeFork hacking team spreading ‘fileless’ malware to mine Monero cryptocurrency

Source: National Cyber Security – Produced By Gregory Evans

A group of hackers dubbed ‘CodeFork’ by security researchers has recently launched a new campaign, reportedly spreading fileless malware and a strain of cryptocurrency miner that is able to exploit victims’ computers and produce Monero, a form of digital money. According to experts from Radware, a cybersecurity firm, the group…

The post CodeFork hacking team spreading ‘fileless’ malware to mine Monero cryptocurrency appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges

Source: National Cyber Security – Produced By Gregory Evans

In the last few months, human rights and internet monitoring organizations have uncovered evidence that the Mexican government uses sophisticated spyware made by an Israeli company to monitor journalists, dissidents, and even political opponents, as reported in a series of articles in The New York Times. Now, a former Mexican…

The post Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Team Lead – Security SOC and Incident Response

Source: National Cyber Security – Produced By Gregory Evans

Description   Community Health Systems, Inc. is one of the nation’s leading operators of general acute care hospitals. The organization’s affiliates own, operate or lease 158 hospitals in 22 states with approximately 26,000 licensed beds. Affiliated hospitals are dedicated to providing quality healthcare for local residents and contribute to the…

The post Team Lead – Security SOC and Incident Response appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Trump Drops His Call for a Joint Cyber Security Team With Russia after Much Criticism

Trump Drops His Call for a Joint Cyber Security Team With Russia after Much CriticismSource: National Cyber Security – Produced By Gregory Evans U.S. President Donald Trump on Sunday backtracked on his push for a cyber security unit with Russia, tweeting that he did not think it could happen, hours after his proposal was harshly criticized by Republicans who said Moscow could not be trusted. Trump said on Twitter […] View full post on AmIHackerProof.com | Can You Be Hacked?

Man and machine: How to team up to meet cybersecurity challenges

Source: National Cyber Security – Produced By Gregory Evans

Man and machine: How to team up to meet cybersecurity challenges

In today’s cybersecurity landscape, the pressure is on. CISOs and other executives are suffering “security insomnia”: attack surfaces are growing exponentially, their security teams are receiving overwhelming numbers of alerts, real threats are masked by false positives, and the numbers of serious breaches are reaching new records – the list…

The post Man and machine: How to team up to meet cybersecurity challenges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Forensic Specialist Team Lead

Source: National Cyber Security – Produced By Gregory Evans

Cyber Forensic Specialist Team Lead

Description   Do you desire a patriotic role and the chance to defend our nation’s cyber infrastructure? Do you enjoy learning about new technologies and how they can be used to provide cutting edge services to our customers? If so, then look to join the Catapult Consultants team. The selected…

The post Cyber Forensic Specialist Team Lead appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hennepin County, nonprofit team up for fifth year of child abuse prevention campaign

Hundreds of blue signs raising awareness about child abuse will be placed this month around the metro area, marking the fifth year of the annual Blue Kids Campaign.

Hundreds of blue signs raising awareness about child abuse will be placed this month around the metro area, marking the fifth year of the annual Blue Kids Campaign.

Hennepin County and CornerHouse, a Minneapolis nonprofit that helps families and adults dealing with abuse, launched the campaign Wednesday by planting 100 signs at the Hennepin County Government Center in downtown Minneapolis. The signs represent the thousands of kids abused in Minnesota each year. April is National Child Abuse Prevention Month.

Read More

The post Hennepin County, nonprofit team up for fifth year of child abuse prevention campaign appeared first on Parent Security Online.

View full post on Parent Security Online

IT Security Engineer III – Firewall Team

Source: National Cyber Security – Produced By Gregory Evans

JOB SUMMARY • Designs, develops, configures, and implements solutions to resolve complex and highly complex technical and business issues related to related to information security, identity management, user access authentication, authorization, user provisioning, and role-based access control. • Designs, develops, …

The post IT Security Engineer III – Firewall Team appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures