The REvil gang behind Sodinokibi ransomware are using a new tactic in their attacks. The gang is already known for compromising systems and stealing data before the ransomware payload is deployed. The gang had previously threatened to publish data stolen in their attacks if the ransom was not paid and followed through with that threat for the first time in January 2020.
After gaining access to a system, the attackers move laterally and locate and exfiltrate data from servers and workstations. Once administrative access is gained to a domain controller, the ransomware payload is deployed and files are encrypted.
Symantec’s Threat Intelligence team has now observed a new tactic. REvil has been seen scanning compromised systems to locate point of sale (PoS) servers which house credit card information. What is not clear is whether the gang is attempting to gain access to PoS servers in order to encrypt them or to steal credit card information. If it is the latter, the gang would be able to sell the data easily, which would ensure the attack was profitable in the event of the ransom not being paid.
PoS software is used to take credit card payments and is often used in retail outlets and restaurants. PoS software has long been a target of hackers who infiltrate the systems and install malware which exfiltrates data when customers pay for goods or meals using payment cards. The malware often remains in the system undetected for weeks or months before it is discovered.
While it is not unusual for the REvil gang to identify and steal sensitive data, it is unusual that they are targeting credit card data on PoS systems. That tactic is not usually seen in manual ransomware attacks.
Symantec researchers observed the gang searching for PoS systems on the networks of three companies, one in the services sector, one in food, and one in healthcare. The researchers note that the food and service sector companies ere probably attacked as they were multinational companies that had the means to pay the ransom. The healthcare company was much smaller, and it is possible scans were conducted to identify PoS software to steal credit card data in case the ransom was not paid.
The researchers identified 8 attacks in the latest campaign that had Cobalt Strike malware installed on their systems. The REvil gang is believed to have gained access to the networks using brute force tactics to guess passwords for Remote Desktop Protocol (RDP) servers or by exploiting vulnerabilities in Virtual Privacy Networks (VPNs). Once access was gained, Cobalt Strike was deployed. Cobalt Strike is a legitimate penetration testing tool that is used to load Shellcode onto systems. Cobalt Strike is commonly used by malicious actors in their attacks to load malicious code.
The REvil gang then disabled security solutions to ensure their activities were not detected and opened remote desktop connections, which were used to launch malicious commands.
REvil used living-of-the-land techniques to move laterally, including PowerShell and a legitimate remote admin tool developed by NetSupport ltd. By using these legitimate tools, they are able to move around the network undetected.
The REvil gang used legitimate infrastructure to store their payload and for their command and control (C&C) server. “The attackers are using code-hosting service Pastebin to host their payload (the Cobalt Strike malware and Sodinokibi) and are using Amazon’s CloudFront service for their C&C infrastructure, to communicate with victim machines,” explained Symantec.
Interestingly, Sodinokibi ransomware was only deployed on certain systems. Each of the victims attacked with ransomware were issued with a ransom demand of $50,000. If the ransom is not paid within three hours, the required payment doubles to $100,000. It is unclear whether the gang has been biding its time in the other attacks and planned to deploy the ransomware at a later date when other aims had been achieved.