Discover and read the best of Twitter Threads about #Sodinokibi
Most recents (2)
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware 
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR.
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC")
A #Sodinokibi campaign broke out last week using "Outstanding statement" emails in the Chinese language, with the ransomware itself inside a .zip archive as attachment, a notable change from past campaigns that used drive-by downloads or emails with malicious URLs
The ransomware is an .exe file that pretends to be .xls using double extensions. It runs a PowerShell command to delete the shadow copy, encrypts & renames files with alphanumeric characters as extension (ex., myfile.x63b59), drops ransom note, changes the desktop background
Office 365 ATP catches the malicious attachments used in this new Sodinokibi campaign, protecting customers from ransomware infection. Microsoft Defender ATP blocks the malware on endpoints and raises alerts for malicious behaviors, including shadow copy deletion.
