3 July 2020

Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom


Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom

The hacker group behind the Sodinokibi ransomware also known as REvil has compromised the Brazilian-based electrical energy company Light S.A. and now is demanding a $14 million ransom in exchange for a tool to restore encrypted files.

Light S.A. has confirmed the incident to a local newspaper, but declined to reveal details about the cyber attack, only saying that “the hackers have invaded the system and sent a virus that encrypts all Windows system files.”

According to AppGate’s security researchers, who have obtained a sample of the malware allegedly used in the attack, the malware in question is the Sodinokibi ransomware.

“Although we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example,” the researchers said.

AppGate said the sample was collected on June 17, 2020 after it was uploaded to a public sandbox suggesting that someone fr om the company submitted the file in an attempt to understand how it works.

The sample is packed, and exhibits behavior similar to the one associated with other binaries that have been previously identified from Sodinokibi family. During the analysis the researchers were able to decrypt the configuration and access data about the ransomware, including the actor / campaign ID, and the URL provided to the victims to get instructions on how to pay the ransom.

Using the URL collected from the binary the researchers got access to the attacker’s webpage hosted on deep web. The page informed victims that they need to pay a ransom of 106,870.19 XMR (Monero) by June 19, however, as the deadline has passed the ransom amount has doubled to 215882.8 XMR (approx. $14 million). The same web page contains the information about the Sodinokibi family and provides an online chat support, wh ere the victim can interact with the attackers.

Sodinokibi is available as a RaaS (Ransomware as a Service) and is operated by a threat actor likely affiliated to "Pinchy Spider", the group behind GandCrab ransomware.

The researchers noted that the obtained Sodinokibi sample uses 32-bit and 64-bit exploits for the CVE-2018-8453 vulnerability to escalate privileges.

AppGate also pointed out that currently there is no global decryptor for the family, “which means that the attacker's private key is required to decrypt the files.”

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024