Attackers Scanning for POS Software in New Sodinokibi Ransomware Campaign
Sodinokibi ransomware is being used to target credit card and point of sale (POS) terminal software. The goal of this cyber attack variation is not yet clear. So far, this cyber attack has targeted businesses in the services, food, and healthcare sectors according to a report by cyber security researchers at Symantec’s Threat Intelligence team.
The malicious attackers are targeting large corporations that have the ability to pay the large ransoms that the Sodinokibi threat actors typically demand. In January, ZDNet reported that Sodinokibi’s average ransom demand was $260,000. It is not clear if Sodinokibi ransomware is being deployed to steal payment information from the POS software or to encrypt the systems with ransomware.
“The attackers are aiming to make a lot of money – for victims infected with Sodinokibi, the ransom requested is $50,000 in the Monero cryptocurrency if paid within the first three hours and $100,000 after that,” says the report from Symantec.
Monero is a cryptocurrency that is more difficult to trace than Bitcoin is.
The hackers are using Cobalt Strike commodity malware to infect compromised networks with Sodinokibi targeted ransomware. Hosting service Pastebin and Amazon’s CloudFront service are both legitimate services being used to host the malware. This is one so the traffic coming from those services is more likely to get through malware detection.
Sodinokibi is a ransomware that targets enterprise organizations. Sodinokibi is also known as REvil and Sodin. The number of cyber attacks associate using this malware increased by 62 percent last year. One of its most high-profile attacks knocked foreign exchange service Travelex offline for a month. In the end, Travelex paid $2.3 million in ransom to recover their operations.
The hackers behind REvil are believed to be the same threat actors that launched GandCrab ransomware. GandCrab was spread through spam emails and exploit kits. The threat actors targeted individuals and businesses running Microsoft Windows, but have since ceased operations.
Like the Maze ransomware hackers, the Sodinokibi hackers threaten to sell victim’s data online if their demands for money are not paid. Earlier this month, the REvil hackers set up a first-ever dark web auction site to sell off stolen data to the highest bidder. The data was stolen from Canadian agricultural company Agromart Group. During a dark web sale, hackers typically leak part of the compromised data online to ahead of time before being put up for auction on the dark web.
Sodinokibi is also believed to be a ransomware-as-a-service (RaaS) operation. With RaaS, the hacker developers maintain the malware code and rent it to other hackers, called affiliates, who carry out their own cyber attacks. All proceeds are shared between the affiliate hackers and the developer hackers. GandCrab ransomware is also a RaaS service.