HKCert
Security Blog

Beware of Sodinokibi Ransomware

Release Date: 30 / 04 / 2019
Last Update: 30 / 04 / 2019

HKCERT observed a new ransomware named "Sodinokibi" being deployed via Zero Day vulnerabilities recently. Web application vulnerabilities is one of the known attack vectors.

 

What ransomware usually does? Ransomware is used to encrypted victim’s files and causes the data unavailable. And ransom the victim to pay for it.

 

HKCERT does not recommend victims to pay the redemption. In many pervious cases, the attacker will not recover the files even though you pay them.

 

Sodinokibi Ransomware identifier:

  1. A random extension
  2. [random extension]-readme.txt (As the screenshot show)

 

Image Source: https://www.youtube.com/watch?v=MlfYEqAjXUE

 

To mitigate the potential problem, you can:

  1. Always do offline data backup regularly.
  2. Protect your web applications.(refer to The Ten Most Critical Web Application Security Risks (OWASP Top 10))
  3. Patch your application/system e.g. CMS, web server, etc.

 

Reference: https://twitter.com/GrujaRS/status/1122031871033057280