Friday, April 19, 2024

New Sodin Ransomware Exploits Windows Vulnerability to Elevate Privilege and Lock All the Files

By Balaji

New Sodin Ransomware Exploits Windows Vulnerability to Elevate Privilege and Lock All the Files

Researchers discovered a new Sodin Ransomware (also known as Sodinokibi) that exploits the Windows Elevation privilege vulnerability resides in the Win32k component.

Sodin ransomware initial attack spotted in April 2019 when it was distributed through an Oracle Weblogic vulnerability to attack MSP providers.

Now it turns into a new form of attack by exploiting the Windows vulnerability, and targeting victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea.

Researchers named the ransomware as Trojan-Ransom.Win32.Sodin that is using the vulnerability (CVE-2018-8453) in Win32k to escalate the highest level of privileges.

The vulnerability initially reported by Kaspersky and the Microsoft fixed this vulnerability was fixed on August 17, 2018.

An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode then install programs, view, change, or delete data; or create new accounts with full user rights.

Sodin Ransomware Infection Process

Attackers configured the initial stage of Trojan distributed with encrypted form and the configuration block containing the settings and data.

Attackers employed the Salsa20 symmetric stream algorithm to encrypt the victim’s files and the keys for it with an elliptic curve asymmetric algorithm.

According to Kaspersky research, “Once the Trojan gets launched, it generates a new pair of elliptic curve session keys, in which the public key of this pair is saved in the registry under the name pk_key and the private key is encrypted using the ECIES algorithm  and stored in the registry under the name sk_key.”

Once the Sodin Ransomware starts the encryption process, it will generate the new paid of elliptic curve asymmetric keys, and the symmetric key will encrypt the victims file contents with the Salsa20 algorithm.

After the ransomware completely encryption the files, the new extension will be applied in each file and the ransom note is saved next to it while malware-generated wallpaper is set on the desktop.

Ransom Notes

Meanwhile, behalf of network communication, Trojan sends information about the infected machine to the attacker’s command and control server and the sending data is also encrypted.

Attackers instruct to pay the ransom amount by giving a website, in which victims find the step to recover the decryption key to unlock the encrypted files.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

NCSC Issued an Emergency Alert for Ryuk Ransomware that Actively Attacks on Global Organizations

End of GandCrab – New Free Decryptor Tool that let Victims to Unlock All versions of Ransomware Infection

Ransomware Attack Response and Mitigation Checklist

Managed WAF Protection

Website

Latest articles

Vulnerability

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...
Cyber Attack

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...
Cyber Attack

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...
Android

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...
cyber security

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...
Cisco

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Cyber Crime

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]