Show vulnerabilities with patch / with exploit
3 July 2020

Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom


Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom

The hacker group behind the Sodinokibi ransomware also known as REvil has compromised the Brazilian-based electrical energy company Light S.A. and now is demanding a $14 million ransom in exchange for a tool to restore encrypted files.

Light S.A. has confirmed the incident to a local newspaper, but declined to reveal details about the cyber attack, only saying that “the hackers have invaded the system and sent a virus that encrypts all Windows system files.”

According to AppGate’s security researchers, who have obtained a sample of the malware allegedly used in the attack, the malware in question is the Sodinokibi ransomware.

“Although we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example,” the researchers said.

AppGate said the sample was collected on June 17, 2020 after it was uploaded to a public sandbox suggesting that someone fr om the company submitted the file in an attempt to understand how it works.

The sample is packed, and exhibits behavior similar to the one associated with other binaries that have been previously identified from Sodinokibi family. During the analysis the researchers were able to decrypt the configuration and access data about the ransomware, including the actor / campaign ID, and the URL provided to the victims to get instructions on how to pay the ransom.

Using the URL collected from the binary the researchers got access to the attacker’s webpage hosted on deep web. The page informed victims that they need to pay a ransom of 106,870.19 XMR (Monero) by June 19, however, as the deadline has passed the ransom amount has doubled to 215882.8 XMR (approx. $14 million). The same web page contains the information about the Sodinokibi family and provides an online chat support, wh ere the victim can interact with the attackers.

Sodinokibi is available as a RaaS (Ransomware as a Service) and is operated by a threat actor likely affiliated to "Pinchy Spider", the group behind GandCrab ransomware.

The researchers noted that the obtained Sodinokibi sample uses 32-bit and 64-bit exploits for the CVE-2018-8453 vulnerability to escalate privileges.

AppGate also pointed out that currently there is no global decryptor for the family, “which means that the attacker's private key is required to decrypt the files.”

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020