Skip to content

Blog

How Barac Can detect Sodinokibi Ransomware

January 13, 2020

Executive Summary:

A new type of ransomware dubbed Sodinokibi is hitting large organisations and government. Sobinokibi is highly evasive, and takes many measures to prevent its detection by antivirus and other solutions.

The authors of Sodinokibi have previously been connected to the same authors of the prolific GandCrab ransomware, which was recently retired. GandCrab is responsible for 40% of all ransomware infections globally. If the association is accurate, GandCrab sets a good example for just how impactful Sodinokibi may become.

Ransomware remains a huge business risk to organisations in many vectors. Highly evasive ransomware such as Sodinokibi and GandCrab are the cause of huge damage to organisations each year.

Context:

  • Initially, most of the Sodinokibi attacks were observed in Asia. Recently it moved to Europe and the US to hit MSSPs and big targets
  • When the Ransomware first emerged, it exploited vulnerabilities in servers and other critical assets of SMBs. As time went by, we saw other infection vectors such as phishing and exploit kits
  • Sodinokibi is very evasive and uses TOR or HTTPS to hide their activity. all the websites used by the attackers as Command and Control (C&C) are legitimate domains or IPs that has been hacked and used by the Sodinokibi group

How Barac can detect Sodinokibi

Sodinokibi is a very sophisticated and clever attack. The attack use encryption and adopted common traffic patterns and profiles to mask its action. The victims are large MSSPs, government and leading organisations such as Travelex.  

Barac ETV – Encrypted Traffic Visibility platform help you detect Sodinokibi in real time and instantly without decrypting the traffic using TLS/SSL metadata combined with machine learning and behaviroal analytics in real time to detect abnormal activity.

Sodinokibi developed a tactic to hide by changing the behaviour of the traffic. It is also impossible to detect using JA3

Here are some of the metrics that the Barac platform uses to detect Sodinokibi or similar attacks:

  • The Host (SNI), Cert Issuer as well as Cert Subject were null
  • The Host (SNI) uses a different name than the name for the certificate making the Chain non trusted
  • The ransomeware uses always a weak protocol (SSL V0 or V3) and the same elliptic curve / bytes distribution,
  • The certificate is Self-Signed
  • The Cert was less than 3 days old with sometimes a few hours old

The reason Barac is able to detect highly sophisticated attack, even APT without never seeing them before is due to our understanding of normal traffic flows and highlighting traffic flows outside this norm., This may sound simple, but in fact we use over 200 different metrics and look at their interactions and changes relative to each other over time to be able to detect these attacks.