Appgate SDP

Appgate SDP Overview

Learn how the industry’s most comprehensive universal ZTNA solution strengthens security and transforms your network with the flexibility, extensibility and integration advantages of direct-routed architecture.

How Appgate SDP Works

Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.

Zero Trust Platform
Integrations and Tech Partners
Appgate SDP for Developers
Use Cases for Securing:
Risk-Based Authentication
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.

Immunity TeamJune 30, 2020

Electric Company Ransomware Attack

Calls for $14 Million in Ransom

Light S.A., a Brazilian based electrical energy company was recently affected by ransomware where the cybercriminals demanded a payment of 14 million U.S. dollars.

The company issued comments to a local newspaper confirming the attack, however, technical details were not disclosed by the company.

Twitter Post from Light SA Official Account, Confirming the Attack

Our malware analysis team had access to the binary that was likely used in the attack and we were able to confirm that the sample is from a family known as Sodinokibi (aka REvil). Althought we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example. The sample was automatically collected by AppGate Labs on June 17, 2020 through our live hunting process, and as the binary was sent to a public sandbox, this suggests someone from the company submitted that file attempting to understand how it works.

Machine Infected with Sodinokibi Sample.

The sample is packed and works the same as other binaries that we have already identified from this family, and once unpacked, we were able to decrypt its configuration and access relevant data about the threat, such as the actor / campaign ID, and the URL in which the victim must access to get instructions.

Ransomware Attack Asking 14,000,000 USD.

According to the page that is hosted in the deep web, the ransom amount must be paid using the virtual currency Monero, and prior to June 19, the total was 106,870.19 XMR, which is equivalent to 7 million USD. However, since the deadline has passed, the price has doubled to 14 million US dollars. The whole attack looks very professional, the web page even includes a chat support, where the victim can speak directly with the attacker. Sodinokibi works as a RaaS (Ransomware as a Service) model, and the group behind the operation seems to be affiliated to "Pinchy Spider", which is the same group behind GandCrab ransomware[1].

Deep Web Panel

With the URL collected from the binary, we were able to access the webpage (hosted on deep web) and confirm details about the attack. First thing of notice is the ransom price, which is extremely high and likely due to the affected company belonging to an important sector.

Ransomware Asking for 7,000,000 USD Before Deadline.

There is an ‘About Us’ which contains a small overview about the Sodinokibi family.

Sodinokibi Description According to the Web Page.

Also, it provides an online chat support, where the victim can interact with the attackers. In the images below, we can see that someone reached out to the attacker. We decided to censor the images to reduce the exposure of the person involved.

Sodinokibi Chat Support.

At the end of the chat we can see that the attacker sends a file that is supposedly confidential, proving to the victim that the data can be decrypted and also suggesting that file was probably stolen from the company's network.

Decrypted “_Confidencial.xlsx” File Sent by Attacker.

Technical Details

The main file is packed and it uses two shellcodes streams for unpacking and execution process. First, it allocates a memory space using “LocalAlloc[2]” API, writes an encrypted shellcode to it, and transfers execution once decrypted.

Sodinokibi Decrypting First Shellcode.

This shellcode unpacks Sodinokibi along with a second shellcode, which will eventually load the final binary to memory.

Second Shellcode Along with Unpacked Sodinokibi.

Finally, the shellcode injects the unpacked Sodinokibi binary into the same process space, by wiping the original PE file from memory and writing the new PE.

Sodinokibi Self-Injection.

The binary is highly configurable, the setting is encrypted with RC4 and it’s usually stored in a randomly named section, and in this case the section name is “.cfg”.

Sodinokibi Encrypted Configuration Stored on PE Section.

Upon execution, it will decrypt the content of this section into an allocated memory space.

Sodinokibi Decrypting its Configuration.

The decrypted configuration is presented in a JSON format and contains several options used by the Malware.






If true, ignores keyboard layout check


List of strings

List of domains for communication (C2 servers)



If true, enables privilege escalation using CVE-2018-8453 as exploit



If true, it encrypts just a part of the file



Message displayed on desktop background



Contents of the “readme” file (base64 encoded)



If true, sends POST requests to the C2 servers



Name of “readme” file



Actor ID



Public encryption key (base64 encoded)


List of strings

Process to terminate



Campaign ID


List of strings

List of folders to wipe



Contains information about whitelist (to skip encryption)


List of strings

Whitelisted extensions


List of strings

Whitelisted folders


List of strings

Whitelisted files



If true, wipes the folders specified in “wfld”

An interesting capability not utilized by this specific sample is if “exp” is “true”, it tries to escalate privileges by exploiting a vulnerability in “win32k.sys” (CVE-2018-8453[3]) with both 32-bit and 64-bit versions of the exploit, using a technique known as “Heaven’s Gate[4]” to execute 64 bit code in a 32 bit process, located in the “.rdata” section of the PE file.

Code Decrypting and Executing the Shellcode.

Also, if the “dbg” option is set to “false”, the malware will check the UI language and the keyboard layout of the infected machine.

Keyboard Layout Verification.

Above, we can see that this Ransomware has a whitelist based on location, if the return value[5] matches any value of the list, it will not encrypt files in the machine.

Furthermore, it uses PowerShell to delete Windows shadow copies.

Sodinokibi Deleting Windows Shadow Copies.

Once encrypting all the files, it changes the background with the following image:

Sodinokibi Background.

Lastly, it appends a ransom note to every folder where encrypted files can be found.

Sodinokibi Ransom Note.

Unfortunately, there is no global decryptor for the family, which means that the attacker's private key is required to decrypt the files.

During the period of the attack, we noticed that the company’s website was offline, presenting an error message related to the database, which could be related to the attack.

Light WebSite Offline During Ransomware Attack.










Registry Keys:







Sodinokibi Actor ID


Sodinokibi Campaign ID


Public Encryption Key (base64 encoded)


C2 Servers:

Please find a list here:

[1] https://malpedia.caad.fkie.fra...





Receive News and Updates From Appgate