Sodinokibi ransomware exploits Windows vulnerability [CVE-2018-8453]

A ransomware strain named Sodinokibi (also Sodin or REvil) is exploiting a vulnerability patched by Windows last year.

Microsoft issued a patch for the vulnerability, a privilege escalation flaw known as CVE-2018-8453, back in October 2018.

Unusually, the former zero-day has been spotted alongside ransomware, rather than other forms of malware. Security researchers have suggested that Sodinokibi is being distributed via a ransomware-as-a-service (RaaS) scheme, rather than being directly distributed by its creator.

Oracle addressed this vulnerability in their Security Alert Advisory – CVE-2019-2725. Users and administrators are encouraged to apply this update immediately.

VirusTotal report on this ransomware

Indicators of Compromise (IoC)

Ransomware samples:
0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05
fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451

Distribution URLs:
hxxp://188.166.74[.]218/office.exe
hxxp://188.166.74[.]218/radm.exe
hxxp://188.166.74[.]218/untitled.exe
hxxp://45.55.211[.]79/.cache/untitled.exe

Attacker IP:
130.61.54[.]136

Attacker Domain:
decryptor[.]top

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: