With a network of honeypots, McAfee researchers looked at the methods and techniques that are used by Sodinokibi Ransomware (REvil) collaborators to infect victims using ransomware and compromise other network devices.
As part of the Sodinokibi ransomware-as – a-service, ransomware implements are marked with affiliate IDs and sub IDs in order to track who the user has been compromised and which affiliate should get a charge.
Such affiliate IDs also enable researchers to track their behavior, paint a picture of how their victims are compromised and spread laterally across a network.
Description of the attackers
The McAfee Advanced Threat Research team used a global Remote Desktop Protocol (RDP) network to track three Sodinokibi affiliate groups in a new report.
Such partners, known as Group I, Affiliate #34 and Affiliate #19, initially compromised a device via RDP and then tried to compromise the rest of the network using this platform.
In order to try and spread across the network laterally, all affiliates use mass port scanning tools to find accessible RDP servers and then use the NLBrute RDP brute forcing software with personalized password lists to try to reach servers.
Affiliate number 34 and number 19, however, showed better techniques such as using custom Mimikatz batch files to capture credentials from the network, custom scripts for erasing logs from the Windows event viewer, and for creating secret users.
Custom Mimikatz batch files
Affiliate #19 seems to be the most skilful and comprehensive man, since McAfee saw that he wanted to use local vulnerabilities to obtain administrative access to a compromised computer. The affiliate can easily switch out and execute ransomware on other computers on the Windows domain by accessing an administrative account.
In addition to the payload from Sodinokibi Ransomware, Affiliate #34 also dropped cryptomining payloads like MinerGate and XMRig.
McAfee was able to find the email address used by one of the attackers from one of MinerGate configuration files and trace it to a potential Persian speaking member of the RDP hacking team.
“Based on our analysis, this individual is likely part of some Persian-speaking credential cracking crew harvesting RDP credentials and other types of data. The individual is sharing information related to Masscan and Kport scan results for specific countries that can be used for brute force operations.”
All used to list documents by the search engine
The All file indexing technology is an interesting program used by Affiliate #34.
Once enabled, all the file and directory names contained on the machine will be indexed so that the user can easily search for files with the keyword entered. You can also scan for content in indexed files at a much slower speed.
While McAfee could not track searches, it reported that a full file system index has been completed.
“Unfortunately we didn’t know the actor was looking for keywords, we saw an entire file system index,” McAfee’s John Fokker, Cyber Investigations Manager, said via e-mail.
We claims that the program All has been developed so that hackers can scan for sensitive files based on their names.
For example, where files contain the terms “hidden,” “password,” “bank accounts”, “protected,” “militaries,” “10-Q,” “10-K,” and so on they can exfiltrate such files in their unencrypted form to steal business secrets, stock insider information, or risk releasing the documents unless a payment is made for restitution.
Although not common, sensitive data from the stolen past were used to threaten victims with payments or publicly released data.
The use of All as part of a ransomware deployment is an interesting tactic and should be worried by all business clients because of the increased risk of data theft.