Research Saturday 11.16.19
Ep 111 | 11.16.19

Sodinokibi aka REvil connections to GandCrab.


Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

John Fokker: [00:01:53] So me, the story was first encountered it when we were doing our research into GandCrab.

Dave Bittner: [00:01:59] That's John Fokker. He's head of cyber investigations for McAfee Advanced Threat Research. The research we're discussing today is titled, "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us."

John Fokker: [00:02:12] That was another ransomware version, very prolific in 2018, half-way 2019. And at the end of GandCrab, we start to see some strange things in the affiliate structure that people were missing. So, we were like, where are the big players? Where did they go? And at that time, actually, one of our industry peers – I think it was Cisco – they reported on Sodinokibi. They were using the WebLogic vulnerability and it caught our attention. It was like, that's interesting – they're doing some pretty sophisticated stuff and they're hitting targets. And we were also in contact with other industry peers and other companies doing IR, incident response, and the name kept popping up. Actually, I had some trouble pronouncing the name the first week when I encountered it.

Dave Bittner: [00:02:56] (Laughs)

John Fokker: [00:02:56] I think everybody does.

Dave Bittner: [00:02:58] I'm familiar with that, yes.

John Fokker: [00:03:00] Yeah, the name is in the executable, and it's – the actors themselves call it REvil, or REvil, from Resident Evil – that's what we think. But that's when it first popped up, I think a couple of months, maybe – yeah, a couple of months after or shortly after GandCrab died down, it really came up. And then it popped the headline news that it was targeting MSPs – managed service providers – and then it really caught our attention. We were like, well, we need to do something better at digging deeper into this, because it has similarities to GandCrab that we saw – what is going on? We were curious to see what was behind Sodinokibi.

Dave Bittner: [00:03:35] Let's describe what we're talking about here. What is the basic functionality and purpose of Sodinokibi?

John Fokker: [00:03:42] Well, it's ransomware, and the basic purpose is extortion. So they are hunting for victims, infecting victims. And what they do a little bit differently from the run-of-the-mill is that they try to infect a lot of victims within one network. So, one of their specific targets, as I mentioned before, MSPs, managed service providers, so they would try to go after a managed service provider, try to infect the managed service provider completely. They can do that using legitimate tools or pentest tools that you see.

John Fokker: [00:04:13] And when they've gained full control through the managed service provider, they try to reach out to their customers as well. So you have one node to many nodes, and then they infect them all at once. And by doing so, they get a really, really large victim base and they have to pay up a big amount – either the victims pay themselves or, they're evil enough, they also offer a price to the MSP, which is much, much higher – mostly tenfold higher – to get their data back. And they know who they are infecting, so they have knowledge of the victims to a certain extent.

Dave Bittner: [00:04:49] And what are you tracking here in terms of who they're targeting? Does it seem like they're focusing on anyone in particular?

John Fokker: [00:04:56] We've seen all things across the board, from – you might have seen in the headline news the Texas municipalities, all the way to an MSP that's catering to dentist practices. But on the other end of the scale – that's what we wrote about in one of our blogs – we also run a network of honeypots and they managed to infect our honeypots as well. And that's also one of the reasons why – what got our attention. And these honeypots had a RDP weakness in them. So you would able to break in with brute forcing the RDP credentials. And we saw Sodinokibi dropped in that as well.

Dave Bittner: [00:05:29] Well, let's walk through it together. There's a section here in your research about reversing the code. Can you take us through step-by-step what's going on?

John Fokker: [00:05:38] There's a lot of similarity to a lot of other ransomware versions. So they do the language check and they check for certain languages, and if that language pack is installed or that keyboard setting is installed – for instance, former Soviet Union countries, we call them CIS countries – they wouldn't encrypt that system. Interesting enough, that Sodinokibi also has Romanian, or the Moldovan language pack, which is currently used a lot in Romania as well, as well as Iran and Syria. Syria we saw with GandCrab. And Iran is also interesting. We believe that it has to do with the affiliates, that they can select, well, I don't want my sample to encrypt any of my fellow countrymen – that's probably to evade prosecution.

Dave Bittner: [00:06:21] Hmm.

John Fokker: [00:06:20] And when it does all the checks and balances, it will drop the virus. It's interesting that we could also see that they pulled down PowerShell code. They have all kinds of methodologies. We've seen several things. And they would lock down your whole system, and they're relatively quick in doing so, too. When they'd start to encrypt it, they'd build a configuration file, and that configuration file has all the details for the virus. And that configuration file will be able to extract and we can get some other telemetry from it. And it will tell you like, OK, what files to exclude. What are the command-and-control server addresses to reach out to? What is the affiliate ID? What's the campaign ID? And things like that.

John Fokker: [00:07:01] When we compare it, it has – to GandCrab, because that was the other competitor – we see similarity to the way URLs are generated. And that has a very, very similar function, almost identical, to the one that's in GandCrab's. That was for us an interesting observation, too.

Dave Bittner: [00:07:18] Is the notion here that perhaps the folks who developed this had access to the source code for GandCrab?

John Fokker: [00:07:25] Yeah, you phrased it absolutely right. There's a lot of speculation going on between all the vendors, because everybody wants to state it, and I understand it. And, from McAfee – and I have to say, this is, we've done extensive research, the whole team – we've toned down this. And you stated it absolutely correct. There are functions within Sodinokibi that show a high similarity with GandCrab, and that could indicate that at some point they had either access to the source code, which could be the case, or some people will go to say they are former developers. But we don't have all those answers. But based on that, we do think that there has been some kind of sharing, would be indicating voluntarily, but that there is a code overlap. So at some point in time, they have to have access to portions of the code of GandCrab.

Dave Bittner: [00:08:13] It also has the functionality that it can work as a wiper.

John Fokker: [00:08:18] Yes, that is a function you could program in your config file and then it wipes stuff, but that is detrimental to the whole ransomware campaign. Sodinokibi actually is proud for the fact that their descriptor works really well, so if you wipe stuff, you won't get it back. And that's not in interest of the actor, but it could hint on destructive purposes, so you could repurpose Sodinokibi for even more evil deeds.

John Fokker: [00:08:46] But the indication that we have seen, it's mostly focused on financials, so there always have been possibility to get your files back. And they're proud of that, too, because a lot of ransomware – their decryptor doesn't work right. I think the last time we spoke, we spoke about Ryuk, that had a lot of mistakes in it. And so, Sodinokibi is actually proud, like, hey, if you pay us, you'll get your files back. We have a hundred percent, or near a hundred percent guarantee of decryption.

Dave Bittner: [00:09:10] It's interesting to think about the criminals hanging their hat on that, taking pride in their work in that sort of way.

John Fokker: [00:09:16] It is a very interesting dynamic, yes. (Laughs)

Dave Bittner: [00:09:20] In terms of the encryption itself then, what's going on under the hood? And what, in your estimation, is the level of sophistication that they're using here?

John Fokker: [00:09:28] Under the hood, it's very solid. We've been looking at GandCrab for a while. That was quite solid as well. We actually managed to build several vaccines. And for GandCrab, there were several decryptors. Their ransomware, their use of encryption – they know what they're doing. It's powerful. We haven't found any flaws yet and there's no public decryptors out there. So they know their stuff. They're good, in that case.

Dave Bittner: [00:09:53] And what are they doing in terms of obfuscation and hiding themselves as they're going about their business?

John Fokker: [00:10:00] Well, it has several functions to do that. One of the interesting things is that it downloads the actual payload – we see it going back to a pastebin site. So it doesn't even – when you get infected first – it doesn't directly get delivered on your system, but your computer beacons out to a pastebin site and pulls down the code from there. It has some privilege escalation techniques. It has several other functions. One of the privilege escalation techniques is CVE-2018-8453 – Heaven's Gate.

John Fokker: [00:10:29] They're really on point. They do some pretty good stuff. And I'm not the most technical one. I have to admit – one that we have – that's why it's a team effort – our team is – we have some really talented reversers, and he as well, said, like, wow, I've looked at GandCrab and at other ransomwares, but these guys know what they're doing. They obfuscate strings inside their malware, all kinds of little tricks, just to make it a little bit harder for our own reversers.

Dave Bittner: [00:10:55] And in terms of people protecting themselves against this, what are your recommendations?

John Fokker: [00:11:00] I would suggest getting a good AV. We do see that RDP is heavily targeted, so make sure your RDP access – if you have it – is locked down or no access. Make sure to update and patch it, that you're not vulnerable to the latest exploit – the CVE-2019 – was it, I think 0708? The BlueKeep vulnerability – I'm doing it just from the top of my head.

Dave Bittner: [00:11:26] Mm-hmm.

John Fokker: [00:11:27] And if you have managed service providers, because they predominately target businesses, have that frank discussion with your MSP and say, hey, how are you accessing my network? Are you using multifactor authentication, or are you just jumping in on a high-privileges account? These are things that I think are very important. Take a close look at the people who you trust within your network, within your organization, who you work with, your suppliers, and see if they're – how their security system is setup.

John Fokker: [00:11:55] And backups. Obviously, backups. Predominately offsite, when you have them, and have some backups not connected to the network. And the most essential stuff that you have to run your business, back that up and store it, because these actors, they know where to look. If you have backups that are connected to the network, they know where to find them.

Dave Bittner: [00:12:12] Do you have any sense for the growth of this? In other words, it is the proliferation of Sodinokibi increasing, or are they staying about the same? Are they decreasing? How successful do you suppose they are?

John Fokker: [00:12:26] They're really successful. In one of our other blogs, we trace the income of a couple of actors, affiliates who openly stated that they're working for a new ransomware version, and we linked two and two together that it has to be Sodinokibi. That is scary. It's about three hundred thousand dollars in one weekend. And one of the actors had a well, I can call it like a cold store – it's ransomware savings, and that was exceeding four-and-a-half million dollars. So we're dealing with people with deep pockets. That's a scary, scary thought – that they have that type of stuff. And it's not slowing down. I look at the actors on the forums and sometimes they say, well, OK – the developers might say, well, we'll take a break, or we need new people to join our program. But judging and speaking to my industry peers, we see it come back and come back. And it's often in the headlines. And that's a worrisome thought – that they're successful at what they do.

Dave Bittner: [00:13:22] Yeah, it's interesting to me that – how ransomware has become sort of part of the ecosystem. It doesn't seem like it's going anywhere.

John Fokker: [00:13:30] No, no. Extortion is one of the oldest crimes, and I think one of the earliest forms of ransomware, they actually made you do a money transfer or a wire transfer to a bank account in Panama. I think that was the AIDS ransomware. With the Bitcoin coming, we had the first affiliate programs with CryptoWall and CTB Locker. And now we see that there's more – with SamSam, the more targeted attacks are coming.

John Fokker: [00:13:55] And we're dealing with a maturity curve with the actors that are – it used to be that the actors trying to spread out the ransomware are not the most sophisticated, but we see a maturity curve with them as well. They're getting better and better at using exploits for remote management software to infect complete networks and systems. They have RDP cracking crews, as we call them. So they outsource the labor to other people who en masse try to break in computer systems by brute forcing RDP credentials. And from there, they actually act as a legitimate pentesting team, almost. Like, I run a red team within McAfee, and they do – they launch similar techniques and they use similar tools, as my team does, just in order to get a better feel of the network, get all of the high privileged accounts, get complete control. And when they have that control, then they can launch their attacks. So it is evolving. It's scary. And I'm worried where it's going.

Dave Bittner: [00:14:54] Yeah. As you look towards the horizon, what do you see? Where what do you suspect we are going?

John Fokker: [00:14:59] If you look at the horizon, right now, we see from where we have the spray-and-pray attacks, where there's one system infected. Now they're going to a whole network. The attention on local governments and on corporate networks, I think in the short term or near future, I think an additional thing would be that they will try to milk that network even more. So, before encrypting it, exfiltrating data, then encrypting it, and then later on, if it's sensitive information or it's information at the end of the quarter, turn back to the company and say, OK, we've got this sensitive information for you. We stole this and we want to disclose this, so you have to pay us again – something like that.

John Fokker: [00:15:40] Or because they are on a network and exposed to a lot of sensitive and maybe personal data, use – harvest credit cards of other – and that's already happening on a smaller scale with other ransomware versions as well – harvest credit card credentials and all these things from the users on the network. So you could be an employee and all of a sudden you get a fraud charge on your card, and then two days or three days later, Sodinokibi hits, for instance. I think that's the stuff we might be seeing in the future.

Dave Bittner: [00:16:12] Our thanks to John Fokker from McAfee for joining us. The research is titled, "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-service – What The Code Tells Us." We'll have a link in the show notes.

Dave Bittner: [00:16:26] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:16:35] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:16:41] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.