Word Wall Black Red
CYBER RESEARCH

Immunity TeamJune 30, 2020

Electric Company Ransomware Attack

Calls for $14 Million in Ransom

Share


Light S.A., a Brazilian based electrical energy company was recently affected by ransomware where the cybercriminals demanded a payment of 14 million U.S. dollars.

The company issued comments to a local newspaper confirming the attack, however, technical details were not disclosed by the company.

Twitter Post from Light SA Official Account, Confirming the Attack

Our malware analysis team had access to the binary that was likely used in the attack and we were able to confirm that the sample is from a family known as Sodinokibi (aka REvil). Althought we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example. The sample was automatically collected by AppGate Labs on June 17, 2020 through our live hunting process, and as the binary was sent to a public sandbox, this suggests someone from the company submitted that file attempting to understand how it works.

Machine Infected with Sodinokibi Sample.

The sample is packed and works the same as other binaries that we have already identified from this family, and once unpacked, we were able to decrypt its configuration and access relevant data about the threat, such as the actor / campaign ID, and the URL in which the victim must access to get instructions.

Ransomware Attack Asking 14,000,000 USD.

According to the page that is hosted in the deep web, the ransom amount must be paid using the virtual currency Monero, and prior to June 19, the total was 106,870.19 XMR, which is equivalent to 7 million USD. However, since the deadline has passed, the price has doubled to 14 million US dollars. The whole attack looks very professional, the web page even includes a chat support, where the victim can speak directly with the attacker. Sodinokibi works as a RaaS (Ransomware as a Service) model, and the group behind the operation seems to be affiliated to "Pinchy Spider", which is the same group behind GandCrab ransomware[1].

Deep Web Panel


With the URL collected from the binary, we were able to access the webpage (hosted on deep web) and confirm details about the attack. First thing of notice is the ransom price, which is extremely high and likely due to the affected company belonging to an important sector.

Ransomware Asking for 7,000,000 USD Before Deadline.

There is an ‘About Us’ which contains a small overview about the Sodinokibi family.

Sodinokibi Description According to the Web Page.

Also, it provides an online chat support, where the victim can interact with the attackers. In the images below, we can see that someone reached out to the attacker. We decided to censor the images to reduce the exposure of the person involved.

Sodinokibi Chat Support.


At the end of the chat we can see that the attacker sends a file that is supposedly confidential, proving to the victim that the data can be decrypted and also suggesting that file was probably stolen from the company's network.

Decrypted “_Confidencial.xlsx” File Sent by Attacker.

Technical Details


The main file is packed and it uses two shellcodes streams for unpacking and execution process. First, it allocates a memory space using “LocalAlloc[2]” API, writes an encrypted shellcode to it, and transfers execution once decrypted.

Sodinokibi Decrypting First Shellcode.

This shellcode unpacks Sodinokibi along with a second shellcode, which will eventually load the final binary to memory.

Second Shellcode Along with Unpacked Sodinokibi.

Finally, the shellcode injects the unpacked Sodinokibi binary into the same process space, by wiping the original PE file from memory and writing the new PE.

Sodinokibi Self-Injection.

The binary is highly configurable, the setting is encrypted with RC4 and it’s usually stored in a randomly named section, and in this case the section name is “.cfg”.

Sodinokibi Encrypted Configuration Stored on PE Section.

Upon execution, it will decrypt the content of this section into an allocated memory space.


Sodinokibi Decrypting its Configuration.

The decrypted configuration is presented in a JSON format and contains several options used by the Malware.

Key

Type

Description

dbg

Boolean

If true, ignores keyboard layout check

dmn

List of strings

List of domains for communication (C2 servers)

exp

Boolean

If true, enables privilege escalation using CVE-2018-8453 as exploit

fast

Boolean

If true, it encrypts just a part of the file

img

String

Message displayed on desktop background

nbody

String

Contents of the “readme” file (base64 encoded)

net

Boolean

If true, sends POST requests to the C2 servers

nname

String

Name of “readme” file

pid

String

Actor ID

pk

String

Public encryption key (base64 encoded)

prc

List of strings

Process to terminate

sub

String

Campaign ID

wfld

List of strings

List of folders to wipe

wht

Dictionary

Contains information about whitelist (to skip encryption)

wht.ext

List of strings

Whitelisted extensions

wht.fld

List of strings

Whitelisted folders

wht.fls

List of strings

Whitelisted files

wipe

Boolean

If true, wipes the folders specified in “wfld”


An interesting capability not utilized by this specific sample is if “exp” is “true”, it tries to escalate privileges by exploiting a vulnerability in “win32k.sys” (CVE-2018-8453[3]) with both 32-bit and 64-bit versions of the exploit, using a technique known as “Heaven’s Gate[4]” to execute 64 bit code in a 32 bit process, located in the “.rdata” section of the PE file.

Code Decrypting and Executing the Shellcode.

Also, if the “dbg” option is set to “false”, the malware will check the UI language and the keyboard layout of the infected machine.

Keyboard Layout Verification.

Above, we can see that this Ransomware has a whitelist based on location, if the return value[5] matches any value of the list, it will not encrypt files in the machine.

Furthermore, it uses PowerShell to delete Windows shadow copies.

Sodinokibi Deleting Windows Shadow Copies.

Once encrypting all the files, it changes the background with the following image:

Sodinokibi Background.

Lastly, it appends a ransom note to every folder where encrypted files can be found.

Sodinokibi Ransom Note.

Unfortunately, there is no global decryptor for the family, which means that the attacker's private key is required to decrypt the files.

During the period of the attack, we noticed that the company’s website was offline, presenting an error message related to the database, which could be related to the attack.

Light WebSite Offline During Ransomware Attack.

IOCs

SHA1:

f09e5e72b433d11a32efe2e5d63db0bc7b8def59

SHA256:

140f831ddd180861481c9531aa6859c56503e77d29d00439c1e71c5b93e01e1a

SSDEEP:

3072:oCc99moUMXv84IHesgkSx+oN/7KzTKDyOX6wKamrJPlM8dj09br:oCc9wHRtg9xkNq6wK7dq40

Mutex:

Global\57E6EA0F-4648-EF95-9F98-C3221B4D31F9

Registry Keys:

HKLM\SOFTWARE\Facebook_Assistant\s17

HKLM\SOFTWARE\Facebook_Assistant\JYhB

HKLM\SOFTWARE\Facebook_Assistant\jH5dJ

HKLM\SOFTWARE\Facebook_Assistant\nsWSeU

HKLM\SOFTWARE\Facebook_Assistant\CSGtvzp

HKLM\SOFTWARE\Facebook_Assistant\cDQ1QZoS

Sodinokibi Actor ID

$2a$10$D/hOr8pZfTXyeVodyREcseBOlXf2dcLmqmQJTa4y2uSfGkhEZXq62

Sodinokibi Campaign ID

4430

Public Encryption Key (base64 encoded)

5OflM/v+EILgBXm+0q5qAVIHbpAd3zVkD2aFdBKJe0g=

C2 Servers:

Please find a list here:

https://pastebin.com/nf0i13zc

[1] https://malpedia.caad.fkie.fra...

[2] https://docs.microsoft.com/en-...

[3] https://www.cvedetails.com/cve...

[4] http://www.alex-ionescu.com/?p...

[5] https://docs.microsoft.com/en-...


Receive News and Updates From Appgate