Kaspersky: Sodinokibi exploits Windows vulnerability and processor architecture, using exploits to escalate privileges
Sodinokibi (aka Sodin and REvil) ransomware exploits Windows vulnerability and processor architecture to elevate privileges and to circumvent security. Especially against targets in Asia-Pacific region: Taiwan, Hong Kong, and South Korea. It has been discovered by Kaspersky cyber security experts. To escalate privileges, Trojan-Ransom.Win32.Sodin uses a vulnerability in win32k.sys; attempts to exploit it were first detected by the company’s technologies (Automatic Exploit Prevention, AEP) in August last year. The vulnerability was assigned the number CVE-2018-8453. After the exploit is executed, the malware acquires the highest level of privileges. Depending on the processor architecture, one of two shellcode options contained in the Trojan body is run.
The cyber security experts: Is the cybercrime ransomware the heir of GandCrab?
According to the cyber security experts, Sodinokibi could be the heir of GandCrab ransomware. Its rapid spread is a major concern for the global security community. Especially following the use of exploit kits by the malwareware. These, in fact, allow it to count on a wide range of vectors to infect victims. Even in Italy, as Yoroi-Cybaze noted. Furthermore, its rapid spread is a sign that cybercrime is relying heavily on the malicious code. For the moment it is not yet clear who can be behind it, but more than someone is willing to bet that they could be the same authors of GandCrab or some subject connected to them. Furthermore, there aren’t known solutions to counter the affects of this Trojan. So, setting efficient defenses, therefore, is imperative. In particular it is necessary to update all systems and software to avoid exploitation of leaks. Finally, maximum attention must be paid to emails, even if they come from known or certified senders. The malware, in fact, is distributed through various vectors.