Sodinokibi Ransomware Spread via Oracle WebLogic Server Exploit

A new ransomware variant named Sodinokibi is being used in attacks that exploit a recently disclosed vulnerability in Oracle WebLogic Server – CVE-2019-2725.

Oracle released an out-of-band patch to address the flaw on April 26 following several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, which is used by many large enterprises. Even though the vulnerability is being actively exploited, many enterprises have been slow to apply the patch and are vulnerable to attack.

According to researchers at Cisco Talos, the Sodinokibi ransomware attacks started on April 21, 2019. The ransomware was first detected by security researchers a day before the patch was issued by Oracle. Sodinokibi ransomware had not been used in any attacks prior to those exploiting the Oracle zero-day vulnerability.

Sodinokibi ransomware encrypts files and hampers recovery by deleting backups. This is achieved by using the legitimate Windows tool vssadmin.exe, which is used for managing shadow copies. The attackers use vssadmin to access and delete shadow copies to prevent recovery without paying the ransom demand.

CVE-2019-2725 can be exploited remotely with no user interaction required. The threat actors behind the latest campaign have been scanning for vulnerable servers. When a server is identified, an HTTP POST request is sent to the server that contains a PowerShell command that downloads and runs the ransomware.

Each successful attack sees encrypted files given a unique alphanumeric extension. Attacked companies can be identified and ransom demands are set accordingly by the attackers. The ransom demands issued so far have varied considerably, as has the time given to pay the ransom.

Some victims have been given two days, others six. If the ransom is not paid in the allocated time frame, the ransom amount doubles. Ransom demands of $1,500 and $2,500 in Bitcoin have been reported so far.

The attacks are expected to increase due to the widespread use of Oracle Weblogic Server and the ease at which the vulnerability can be exploited. Further, CVE-2019-2725 is also being exploited to spread cryptocurrency mining malware and other malware variants. It is therefore important for the Oracle patch to be applied as soon as possible.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of