Summary
Sodinokibi ransomware first spotted April 2019. This ransomware way of infecting machines is by (i)exploiting the Oracle WebLogic Server vulnerability CVE-2019-2725, (ii) malicious spam campaign, (iii) exposed Remote desktop endpoints (RDPs). It has the capability of stealing computer data such as operating system version, operating system architecture, username, user’s security identification (SID), stored information such as user names, passwords and hostnames from different browsers.
Behaviors
Gathers the following data:
- User Name
- Computer Name
- Workgroup
- Systems Architecture
- Operating System
- Processor Information
Capabilities
- Information Theft
- Exploits
- Disabling usage capability
Infection Chain
Detection Coverage
File Reputation
| Detection/Policy/Rules | Pattern Branch/Version | Release Date |
|---|---|---|
| TrojanSpy.Win32.LOKI.TIOIBODR | 15.349.00 | September 7, 2019 |
| Trojan.PS1.POWALYS.A | ||
| Ransom.Win32.SODINOKIBI.AUWTL | ||
| TROJ_FRS.0NA103HK19 | ||
| Ransom.Win32.SODINOKIBI.AUWTL.note |
Predictive Machine Learning
| Detection | Pattern Branch/Version |
|---|---|
| Troj.Win32.TRX.XXPE50FFF031 | In-the-cloud |
Web Reputation
| Detection | Pattern Branch/Version |
|---|---|
| URL Protection | In-the-cloud |
Email Protection
| Detection | Pattern Branch/Version |
|---|---|
| TMASE 25044.002 | In-the-cloud |
Details
Solution Map - What should customers do?
| Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Network Pattern | Predictive Machine Learning | Web Reputation |
|---|---|---|---|---|---|---|---|
Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG (12.0) | Not Applicable | |||||
Worry-Free Business Security | Standard (10.0) | ||||||
| Advanced (10.0) | Update pattern via web console | ||||||
| Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Enable Web Reputation Service and update pattern via web console |
| InterScan Messaging Security | 9.1 | Not Applicable | |||||
| InterScan Web Security | 6.5 | ||||||
| ScanMail for Microsoft Exchange | 14.0 | ||||||
| Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
- Make sure to always use the latest pattern available to detect the old and new variants of Sodinokibi Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.
Threat Report
- Ransom.Win32.SODINOKIBI.A
- Ransom.Win32.SODINOKIBI.ASDKI
- Ransom.Win32.SODINOKIBI.AUWTH
- Ransom.Win32.SODINOKIBI.THGAOAIA
- Ransom.MSIL.SODINOKIBI.A
- Ransom.Win32.SODINOKIBI.AUWMM
- Sodinokibi Ransomware
Blog
