
Immunity TeamJune 30, 2020
Electric Company Ransomware Attack
Calls for $14 Million in Ransom
Light S.A., a Brazilian based electrical energy company was recently affected by ransomware where the cybercriminals demanded a payment of 14 million U.S. dollars.
The company issued comments to a local newspaper confirming the attack, however, technical details were not disclosed by the company.

Twitter Post from Light SA Official Account, Confirming the Attack
Our malware analysis team had access to the binary that was likely used in the attack and we were able to confirm that the sample is from a family known as Sodinokibi (aka REvil). Althought we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example. The sample was automatically collected by AppGate Labs on June 17, 2020 through our live hunting process, and as the binary was sent to a public sandbox, this suggests someone from the company submitted that file attempting to understand how it works.

Machine Infected with Sodinokibi Sample.
The sample is packed and works the same as other binaries that we have already identified from this family, and once unpacked, we were able to decrypt its configuration and access relevant data about the threat, such as the actor / campaign ID, and the URL in which the victim must access to get instructions.

Ransomware Attack Asking 14,000,000 USD.
According to the page that is hosted in the deep web, the ransom amount must be paid using the virtual currency Monero, and prior to June 19, the total was 106,870.19 XMR, which is equivalent to 7 million USD. However, since the deadline has passed, the price has doubled to 14 million US dollars. The whole attack looks very professional, the web page even includes a chat support, where the victim can speak directly with the attacker. Sodinokibi works as a RaaS (Ransomware as a Service) model, and the group behind the operation seems to be affiliated to "Pinchy Spider", which is the same group behind GandCrab ransomware[1].
Deep Web Panel
With the URL collected from the binary, we were able to access the webpage (hosted on deep web) and confirm details about the attack. First thing of notice is the ransom price, which is extremely high and likely due to the affected company belonging to an important sector.

Ransomware Asking for 7,000,000 USD Before Deadline.
There is an ‘About Us’ which contains a small overview about the Sodinokibi family.

Sodinokibi Description According to the Web Page.
Also, it provides an online chat support, where the victim can interact with the attackers. In the images below, we can see that someone reached out to the attacker. We decided to censor the images to reduce the exposure of the person involved.

Sodinokibi Chat Support.
At the end of the chat we can see that the attacker sends a file that is supposedly confidential, proving to the victim that the data can be decrypted and also suggesting that file was probably stolen from the company's network.

Decrypted “_Confidencial.xlsx” File Sent by Attacker.
Technical Details
The main file is packed and it uses two shellcodes streams for unpacking and execution process. First, it allocates a memory space using “LocalAlloc[2]” API, writes an encrypted shellcode to it, and transfers execution once decrypted.

Sodinokibi Decrypting First Shellcode.
This shellcode unpacks Sodinokibi along with a second shellcode, which will eventually load the final binary to memory.

Second Shellcode Along with Unpacked Sodinokibi.
Finally, the shellcode injects the unpacked Sodinokibi binary into the same process space, by wiping the original PE file from memory and writing the new PE.

Sodinokibi Self-Injection.
The binary is highly configurable, the setting is encrypted with RC4 and it’s usually stored in a randomly named section, and in this case the section name is “.cfg”.

Sodinokibi Encrypted Configuration Stored on PE Section.
Upon execution, it will decrypt the content of this section into an allocated memory space.

Sodinokibi Decrypting its Configuration.
The decrypted configuration is presented in a JSON format and contains several options used by the Malware.
Key | Type | Description |
dbg | Boolean | If true, ignores keyboard layout check |
dmn | List of strings | List of domains for communication (C2 servers) |
exp | Boolean | If true, enables privilege escalation using CVE-2018-8453 as exploit |
fast | Boolean | If true, it encrypts just a part of the file |
img | String | Message displayed on desktop background |
nbody | String | Contents of the “readme” file (base64 encoded) |
net | Boolean | If true, sends POST requests to the C2 servers |
nname | String | Name of “readme” file |
pid | String | Actor ID |
pk | String | Public encryption key (base64 encoded) |
prc | List of strings | Process to terminate |
sub | String | Campaign ID |
wfld | List of strings | List of folders to wipe |
wht | Dictionary | Contains information about whitelist (to skip encryption) |
wht.ext | List of strings | Whitelisted extensions |
wht.fld | List of strings | Whitelisted folders |
wht.fls | List of strings | Whitelisted files |
wipe | Boolean | If true, wipes the folders specified in “wfld” |
An interesting capability not utilized by this specific sample is if “exp” is “true”, it tries to escalate privileges by exploiting a vulnerability in “win32k.sys” (CVE-2018-8453[3]) with both 32-bit and 64-bit versions of the exploit, using a technique known as “Heaven’s Gate[4]” to execute 64 bit code in a 32 bit process, located in the “.rdata” section of the PE file.

Code Decrypting and Executing the Shellcode.
Also, if the “dbg” option is set to “false”, the malware will check the UI language and the keyboard layout of the infected machine.

Keyboard Layout Verification.
Above, we can see that this Ransomware has a whitelist based on location, if the return value[5] matches any value of the list, it will not encrypt files in the machine.
Furthermore, it uses PowerShell to delete Windows shadow copies.

Sodinokibi Deleting Windows Shadow Copies.
Once encrypting all the files, it changes the background with the following image:

Sodinokibi Background.
Lastly, it appends a ransom note to every folder where encrypted files can be found.

Sodinokibi Ransom Note.
Unfortunately, there is no global decryptor for the family, which means that the attacker's private key is required to decrypt the files.
During the period of the attack, we noticed that the company’s website was offline, presenting an error message related to the database, which could be related to the attack.

Light WebSite Offline During Ransomware Attack.
IOCs
SHA1:
f09e5e72b433d11a32efe2e5d63db0bc7b8def59
SHA256:
140f831ddd180861481c9531aa6859c56503e77d29d00439c1e71c5b93e01e1a
SSDEEP:
3072:oCc99moUMXv84IHesgkSx+oN/7KzTKDyOX6wKamrJPlM8dj09br:oCc9wHRtg9xkNq6wK7dq40
Mutex:
Global\57E6EA0F-4648-EF95-9F98-C3221B4D31F9
Registry Keys:
HKLM\SOFTWARE\Facebook_Assistant\s17
HKLM\SOFTWARE\Facebook_Assistant\JYhB
HKLM\SOFTWARE\Facebook_Assistant\jH5dJ
HKLM\SOFTWARE\Facebook_Assistant\nsWSeU
HKLM\SOFTWARE\Facebook_Assistant\CSGtvzp
HKLM\SOFTWARE\Facebook_Assistant\cDQ1QZoS
Sodinokibi Actor ID
$2a$10$D/hOr8pZfTXyeVodyREcseBOlXf2dcLmqmQJTa4y2uSfGkhEZXq62
Sodinokibi Campaign ID
4430
Public Encryption Key (base64 encoded)
5OflM/v+EILgBXm+0q5qAVIHbpAd3zVkD2aFdBKJe0g=
C2 Servers:
Please find a list here:
[1] https://malpedia.caad.fkie.fra...
[2] https://docs.microsoft.com/en-...
[3] https://www.cvedetails.com/cve...