Kaspersky researchers have uncovered new encryption ransomware named Sodin, which exploits a recently discovered zero-day Windows vulnerability to get elevated privileges in an infected system and takes advantage of the architecture of the Central Processing Unit (CPU) to avoid detection – functionality that is not often seen in ransomware. What’s more, in certain cases the malware requires no user interaction and is simply planted onto vulnerable servers by the attackers.
Ransomware, the encryption or locking of data or devices accompanied by a demand for money is an enduring cyberthreat, affecting individuals and organizations of all sizes across the world. Most security solutions detect well-known versions and established attack vectors. However, sophisticated approaches such as that of Sodin, which involves the exploitation of a recently discovered zero-day vulnerability in Windows (CVE-2018-8453) to escalate privileges, might be able to avoid raising suspicion for a while.
The malware appears to be part of a RAAS – ransomware-as-a-service – scheme, which means that its distributors are free to choose the way in which the encryptor propagates. There are signs that the malware is being distributed through an affiliate program. For example, the developers of the malware have left a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing: a ‘master key’ that doesn’t require a distributor’s key for decryption (normally the distributor keys are the ones used to decrypt the files of victims that paid the ransom). This feature might be used by the developers to control the decryption of victim data or the distribution of the ransomware by, for example, cutting certain distributors out of the affiliate program by making the malware useless.
Moreover, usually, ransomware requires some form of user interaction – such as opening an attachment to an email message or clicking on a malicious link. The attackers that used Sodin didn’t need much help; they would usually find a vulnerable server and send a command to download a malicious file called “radm.exe.” This then saved the ransomware locally and executed it.
Most targets of Sodin ransomware were found in the Asian region: 17.6 per cent of attacks have been detected in Taiwan, 9.8 per cent in Hong Kong and 8.8 per cent in the Republic of Korea. However, attacks have also been observed in Europe, North America and Latin America. The ransomware note left on infected PCs demands USD 2500 (USD) worth of Bitcoin from each victim.
What makes Sodin even harder to detect is the use of the “Heaven’s Gate” technique. This allows a malicious program to execute 64-bit code from a 32-bit running process, which is not a common practice and does not often occur in ransomware.
The researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons, first is to make an analysis of the malicious code harder - not all ‘debuggers’ (code examiners) support this technique and therefore can’t recognize it. And second, to evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involve launching code that is behaving suspiciously in a virtual environment that resembles (emulates) a real computer.
Kaspersky security solutions detect the ransomware as Trojan-Ransom.Win32.Sodin. The vulnerability CVE-2018-8453 that the ransomware uses was earlier detected by Kaspersky technology in the wild being exploited by a threat actor the researchers believe to be the Fruity Armor hacking group. The vulnerability was patched on October 10, 2018.
To avoid falling victim to Sodin threats, Kaspersky researchers advise companies to make sure that the software used in your company is regularly updated to the most recent versions. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.