Woburn, MA – July 3, 2019 — /BackupReview.info/ — Today, Kaspersky researchers have uncovered a new encryption ransomware named Sodin which exploits a recently discovered zero-day Windows vulnerability to gain elevated privileges in an infected system and take advantage of the architecture of the Central Processing Unit (CPU) to avoid detection. This highly specialized functionality is not often seen in ransomware attacks and can be planted onto vulnerable servers by the attackers requiring no user interaction.

The malware appears to be part of a ransomware-as-a-service (RAAS) scheme which allows distributers to choose the way in which the encryptor propagates. From the research conducted, it appears the malware is being distributed through an affiliate program in which the creators have access to a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing; a ‘master key’ that doesn’t require a distributor’s key for decryption. This added feature is suspected to be used by the developers to control the decryption of victim data as well as the distribution of the ransomware by cutting certain distributors out of the affiliate program by making the malware useless.

Additionally, Sodin’s malware was built to instinctively locate vulnerable servers and send a command to download a malicious file called “radm.exe.” which would then save the ransomware to the server and execute it locally. The ransomware note left on infected PCs demands $2,500 (USD) worth of Bitcoin from each victim.

Sodin’s sophisticated design makes it even more difficult to detect as it uses the intricate “Heaven’s Gate” technique, which is not often found in ransomware attacks as it allows a malicious program to execute 64-bit code from a 32-bit running process.

Kaspersky researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons:

  • To make the analysis of the malicious code more difficult to detect as not all code examiners support this technique and therefore are unable to recognize it.
  • To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that emulates a real computer.

The majority of Sodin ransomware targets were found in Asia: 17.6% of attacks have been detected in Taiwan, 9.8% in Hong Kong and 8.8% in the Republic of Korea. Additional attacks have also been observed in Europe, North America and Latin America.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version that uses the CPU architecture to fly under the radar,” says Fedor Sinitsyn, a security researcher at Kaspersky. “We expect to see a rise in the number of attacks involving the Sodin encryptor since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect if to pay off handsomely.”

Kaspersky security solutions detected the ransomware as Trojan-Ransom.Win32.Sodin. The vulnerability CVE-2018-8453 that the ransomware uses was earlier detected by Kaspersky technology in the wild being exploited by a threat actor the researchers believe to be the FruityArmor hacking group. The vulnerability was patched on October 10, 2018.

Read the full report on Securelist.com

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Media Contact:
Cassandra Faro
Corporate Communications Manager
Cassandra.Faro@Kaspersky.com
+1-781-503-1812

Source: Kaspersrky

 

 

 

Related posts:

  1. New Kaspersky Endpoint Security for Business Delivers Enhanced Data Protection and Manageability Across All Platforms and Devices
  2. Kaspersky Lab Reports Malicious Attack Increase in Q1 IT Threat Evolution Report
  3. Dropping Elephant: Cyber-espionage Group Hunts High Profile Targets with Low Profile Tools
  4. Mine a Million: Kaspersky Lab Identifies Sophisticated Hacker Group Earning Millions through Mining Malware
  5. Kaspersky Lab Report Finds Exploit Leaks Led to Over Five Million Attacks in Q2 2017
  6. Kaspersky Lab Uncovers Critical Vulnerability in Windows OS Exploited by an Unknown Criminal Group
  7. Kaspersky Lab Quarterly Report Shows Zero-Day Exploits and Rampant ‘Ransomware’
  8. Kaspersky Lab Finds New Variant of SynAck Ransomware Using Sophisticated Doppelgänging Technique
  9. F-Secure: Software Vulnerabilities Continue to Supply Criminals with Exploits
  10. Era of Exploits: Number of Attacks Using Software Vulnerabilities on the Rise

Tags: ,