Woburn, MA – July 3, 2019 — /BackupReview.info/ — Today, Kaspersky researchers have uncovered a new encryption ransomware named Sodin which exploits a recently discovered zero-day Windows vulnerability to gain elevated privileges in an infected system and take advantage of the architecture of the Central Processing Unit (CPU) to avoid detection. This highly specialized functionality is not often seen in ransomware attacks and can be planted onto vulnerable servers by the attackers requiring no user interaction.

The malware appears to be part of a ransomware-as-a-service (RAAS) scheme which allows distributers to choose the way in which the encryptor propagates. From the research conducted, it appears the malware is being distributed through an affiliate program in which the creators have access to a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing; a ‘master key’ that doesn’t require a distributor’s key for decryption. This added feature is suspected to be used by the developers to control the decryption of victim data as well as the distribution of the ransomware by cutting certain distributors out of the affiliate program by making the malware useless.

Additionally, Sodin’s malware was built to instinctively locate vulnerable servers and send a command to download a malicious file called “radm.exe.” which would then save the ransomware to the server and execute it locally. The ransomware note left on infected PCs demands $2,500 (USD) worth of Bitcoin from each victim.

Sodin’s sophisticated design makes it even more difficult to detect as it uses the intricate “Heaven’s Gate” technique, which is not often found in ransomware attacks as it allows a malicious program to execute 64-bit code from a 32-bit running process.

Kaspersky researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons:

  • To make the analysis of the malicious code more difficult to detect as not all code examiners support this technique and therefore are unable to recognize it.
  • To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that emulates a real computer.

The majority of Sodin ransomware targets were found in Asia: 17.6% of attacks have been detected in Taiwan, 9.8% in Hong Kong and 8.8% in the Republic of Korea. Additional attacks have also been observed in Europe, North America and Latin America.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version that uses the CPU architecture to fly under the radar,” says Fedor Sinitsyn, a security researcher at Kaspersky. “We expect to see a rise in the number of attacks involving the Sodin encryptor since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect if to pay off handsomely.”

Kaspersky security solutions detected the ransomware as Trojan-Ransom.Win32.Sodin. The vulnerability CVE-2018-8453 that the ransomware uses was earlier detected by Kaspersky technology in the wild being exploited by a threat actor the researchers believe to be the FruityArmor hacking group. The vulnerability was patched on October 10, 2018.

Read the full report on Securelist.com

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Media Contact:
Cassandra Faro
Corporate Communications Manager

Source: Kaspersrky




General Tags: SaaS, CEO interviews, data storage, compare online backups, online file storage, online data backup, software as a service, backing up online, online backup companies, online backup services, online backup news, online backup providers directory, cloud computing, online backup reviews, online backup, data security, top rated online backups, online file backup

Like us on Facebook

Do you like this post? Subscribe to our RSS feed ===========================


Related posts:

  1. Kaspersky Lab Finds New Variant of SynAck Ransomware Using Sophisticated Doppelgänging Technique
  2. Kaspersky Finds Zero-day Exploits in Windows OS and Internet Explorer Used in Targeted Attack
  3. Kaspersky Lab Quarterly Report Shows Zero-Day Exploits and Rampant ‘Ransomware’
  4. Kaspersky Lab Uncovers Critical Vulnerability in Windows OS Exploited by an Unknown Criminal Group
  5. Mine a Million: Kaspersky Lab Identifies Sophisticated Hacker Group Earning Millions through Mining Malware
  6. Era of Exploits: Number of Attacks Using Software Vulnerabilities on the Rise
  7. Kaspersky Lab Detected a 14% Increase in New Ransomware Modifications in Q1 2016
  8. Kaspersky Lab IT Threat Evolution Report: Attacks Leveraging Microsoft Office Exploits Grew Fourfold in Q1 2018
  9. Non-Stop: The Number of Users Attacked with Encrypting Ransomware Grew 2.6 Times in Q3 2016
  10. Kaspersky Finds Ransomware Now Targeting Backup Data

Tags: ,