The researchers found that the new Sodin ransomware has mainly attacked the Windows devices in the Asian region, including Taiwan, Hong Kong, the Republic of Kore, etc. The Sodin virus was created to gain elevated privileges by using certain Windows vulnerability. Then, it can do many things in your system with full user rights.
Sodin, the New Ransomware Was Found
Recently, a new encryption ransomware named Sodin (full name is Trojan-Ransom.Win32.Sodin) was found by the researchers, who working at Russia’s Kaspersky Lab.
- The Sodin ransomware was firstly discovered in April 2019; initially, it aims at attacking MSP providers by using Oracle Weblogic vulnerability.
- Later, Sodin turns into a new form of attack; it uses the Windows vulnerability to attack system.
Now, Sodin can affect a system via the Windows vulnerability CVE-2018-8453 (it is also called Win32k Elevation of Privilege Vulnerability) so as to get elevated privileges.
Where Does the Sodin Ransomware Appear
According to the statistics, the researchers find a fact: most attacks of the Sodin virus are discovered in the Asian region.
- 6 % of the attacks are detected in Taiwan.
- 8 % of the attacks are detected in Hong Kong.
- 8 % of the attacks are detected in the Republic of Korea.
Besides, there are also victims from Europe, North America and Latin America.
How Does the Sodin Ransomware Attack Your System
Win32k component can’t deal with the objects in memory appropriately, an elevation of privilege vulnerability will be found in your Windows system. After logging in your system, the attacker will run a specially crafted application in order to use the vulnerability and control your system.
All in all, the Sodin malware can take advantage of this Windows vulnerability to run arbitrary code in kernel mode. Then, it can do many changes to your system:
- Install new programs
- Create new accounts
- Browse, change, or delete data
Here’s how to recover deleted files on your PC:
Don’t know how to retrieve deleted files on PC? The following content will show you how to get them back from devices in different situations.
Sodin can hardly be detected, why? That is because it exploits the architecture of the Central Processing Unit (CPU). It can circumvent security solutions by making use of the legitimate processor functions.
Specific Infection Process
Stage one: the initial stage of Trojan was configured to be encrypted form; both the settings and data are included in the configuration block.
Stage two: the ransomware will encrypt the files and the keys in the infected system by using Salsa20 symmetric stream algorithm and elliptic curve asymmetric algorithm.
Stage three: the new paid of elliptic curve asymmetric keys will be created every time when the encryption process is started by Sodin ransomware. In this case, the file contents in the attacked system will be encrypted by the symmetric key through the Salsa20 algorithm.
Stage four: when the files have been encrypted completely by the Sodin virus, you’ll find the following signs.
- Each file infected by the virus get a new extension.
- The wallpaper produced by the ransomware will be set on your desktop.
- There is a ransom note saved next to the file: mc9530-readme.txt, which contains instructions it want you to read.
Stage five: all the information related to the infected device will be sent to the command and control server of the attacker through the network communication. Meanwhile, the data will also be encrypted.
Stage six: a website will appear on the computer of victims in order to instruct them to pay the ransom ($2500 worth of Bitcoin from each victim). By looking at the content, they’ll know how to recover the decryption key so as to unlock the encrypted files.
Kaspersky Has Something to Say
The Kaspersky researches think that the Sodin is likely to be part of a RAAS (ransomware as a service) scheme.
Curiously the private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. We will call it the public skeleton key. The encryption result is stored in the registry under the name 0_key. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back.- according to Orkhan Mamedov, Artur Pakulov, and Fedor Sinitsyn from Kaspersky Lab