The Sodinokibi ransomware that was first discovered a few months ago appears to be emerging strongly. First, this ransomware was detected in specific attacks as described by, for instance, Cisco Talos. Nowadays, the ransomware also appears to be distributed less specifically and via spam. For instance, researchers of Tesorion examined a spam email with which Sodinokibi was distributed this month. To obtain a picture of infections over the whole world, SIDN Labs and Tesorionjointly analysed DNS data. This blog post is the result of the cooperation and describes both an example of the present spread of Sodinokibi by email and the results of our research into worldwide Sodinokibi infections.
Sodinokibi distributed via spam
At the start of July, researchers of Tesorion were offered an email for research purposes that, at first glance, appeared to be legitimate. It regarded an application following a so-called vacancy on ‘werksite.nl’ by one Beatrix. The email refers to the attached CV and motivation letter and contains a .zip file in attachment with a practical file name. That is not strange, because two files are expected in attachment. After the unzipping, the attachment results in a single .exe file that would allegedly contain the CV. In reality, this file is the Sodinokibi ransomware, and it infects the system and encrypts the data as soon as the reader tries to open the CV.
Attention has clearly been paid to the wording of the email. For instance, the language is almost flawless, reference is made to the known vacancy website werksite.nl, and the wording is also in line with an application letter. In addition, the email address of the sender corresponds with the name with which the email was signed, and the domain used by the sender points to the domain of a large Dutch ISP. The sender domain can also be verified by means of DKIM, which also ensures that the message looks legitimate.
It may well be that, for instance, an HR employee tries to, in a moment of carelessness, open the CV, thus activating Sodinokibi, and setting a ransomware infection in motion within a business network.
The Sodinokibi variant from this recent spam email tries to approach a long list of servers, just like we have seen from previous versions. In the rest of this blog post, we discuss how we could use this to gain insight into the worldwide spread of Sodinokibi infections.
Use of legitimate domains
Sodinokibi tries to create contact with a considerable list of servers. This list was configured in the malware and can consequently differ per malware binary. The same data are sent to every server on a randomly generated URL (also see the previous analysis of Tesorion). The said data contain information about the infected system.
Previous analysis by Tesorion shows that the malware does nothing with a potential reply from the server to which the data are sent. We think that the malware sends this information so that the cyber-criminal can obtain insight into numbers of infected systems and consequently the success of the campaign with which the malware is distributed.
It is remarkable that the list of domains mostly consists of apparently legitimate domains. We expect this list to contain one or more domains where the sent data are received. They are, however, difficult to identify because there are many legitimate, but relatively unknown, domains on the list. It is consequently neither possible to use every server from the list as an individual indicator or compromise.
We occasionally note that malware uses legitimate domains because they have been hacked and also run, in addition to their normal function, a command & control server on a specific URL. However, because Sodinokibi generates random URLs, we think that it is improbable for the legitimate domains to have been hacked, but that they are being used as a distraction to conceal the actual C&C.
Sodinokibi infections worldwide
The use of many different, probably legitimate domains ensures that a Sodinokibi infection makes remarkably many DNS requests. Moreover, the specific combinations of domains that we detected in Sodinokibi configurations occur very little in normal traffic of non-infected systems. For instance, many domains of various country TLDs pass by, including .de, .nl, .uk, .es, .ru and .br, all in the same variant of the ransomware. The use of so many different domains and TLDs makes it more difficult to determine what domains are actually in the hands of criminals, and what domains are only present by way of distraction. However, this approach also has a flip side: every TLD has an administering party, like SIDN
for the .nl domain, and every TLD administrator has, due to its position, proper insight into the worldwide use of the domains under that specific TLD.
Because there are many Sodinokibi variants that use, inter alia, a lot of .nl domains, we decided to examine whether the data that this yields can be used to obtain a picture of potential infections with these variants worldwide. To this end, we examined sampled, anonymised logs of the .nl name servers. Here, we searched for requests specifically for the .nl domains that are being used by Sodinokibi. The IP addresses of the resolvers that made these requests were omitted from the data set on account of a potential privacy impact; however, we did include the relevant countries and AS numbers (which identify the owners of the networks). This way, we wanted to obtain insight into the worldwide spread of Sodinokibi. The identification of the exact systems that were infected, or even the exact numbers of it, was not our objective. This anonymised data set is neither suitable for this.
The first step of the research was the clearing of the data: there are resolvers that regularly request a high number of domains, and consequently also the specific Sodinokibi .nl domains. Examples hereof are the resolvers that are being used by web crawlers or large email services. We removed these from the data set. By examining resolvers that proportionately request a large number of .nl domains that are also being requested by Sodinokibi infections, whilst at first glance these domains have nothing to do with each other, we can obtain a picture of resolvers that are probably being used by Sodinokibi infections. From the end of April, we observe a strong increase in these kinds of resolvers in the data set. This almost coincides with the first discovery of the Sodinokibi ransomware.
Our results are based on two assumptions: first of all, most of the systems use the resolver from their own network. This way, the network and country of a resolver provides an indication of the network and country of the actual infections. Secondly, every infection only requests all domains on a single day, and requests on different days consequently belong to different infections. The latter was the case in all variants analysed by Tesorion. We realise that these assumptions will not always be correct, but for the insight that we are trying to obtain, they are good enough.
By grouping the resolvers per network (AS number), we ensure that various resolvers that are, for instance, selected round-robin by an infected system are not wrongly qualified as multiple infections. By examining the number of different AS numbers per day, we obtain a fairly good picture of the countries and networks that were affected by Sodinokibi.
To get an idea of how many different networks were infected per country, we counted the number of AS number per country in the graph below. It is remarkable that South Korea is in the top 10 of amount of AS numbers with infections. This again provides a hint of a relationship between GandCrab and Sodinokibi, because according to Krebs there had been a spam campaign of GandCrab directed at this country.
An infection requests all host names, once only; hence, if an AS number has infections on multiple days, all of these days will show a peak in the number of requested Sodinokibi host names. If we count how many days every AS number has an infection and summarise this per country, then we obtain a picture of the worldwide spread of this ransomware. We did this for both May and June, as you can see in the following world maps. You can see that over time Sodinokibi occurs ever more frequently.
Sodinokibi infections have hit a considerable number of organisations in recent months. This ransomware was distributed both manually within already hacked organisations and directly via spam, hopeful of bumping into a careless receiver. The quality of the spam email analysed by Tesorion is good; it is crystal-clear that ample attention was paid to the details in order to have the email look as legitimate as possible.
The manner in which Sodinokibi uses a large list of apparently legitimate domains enables us to gain insight into worldwide infections. Due to the operation of DNS and its unique position as administrator of the .nl domain, SIDN has proper insight into the networks all over the world from which specific .nl domains are requested. By combining these data from SIDN with knowledge of Tesorion about the domains that are being used by Sodinokibi, together we are able to gain a better picture of the spread of Sodinokibi infections over various countries and networks. This results in interesting insights that in turn contribute to the protection of our users and keeping the .nl domain free from abuse.
Many collections of ransomware use weaknesses in the software to get installed on the computer. It is therefore very important to keep operating systems and software up to date. In addition, you can install spam filters, firewalls, and end-point protection to reduce the risk even further. These applications do not stop everything, as a result of which human acts also remain important: stay alert when opening a link and do not open the attachments from spam.
It is also very wise to regularly create back-ups. In the undesirable event that files are encrypted, you can restore the back-up so that the damages remain limited.