The hacker group behind the Sodinokibi ransomware also known as REvil has compromised the Brazilian-based electrical energy company Light S.A. and now is demanding a $14 million ransom in exchange for a tool to restore encrypted files.
Light S.A. has confirmed the incident to a local newspaper, but declined to reveal details about the cyber attack, only saying that “the hackers have invaded the system and sent a virus that encrypts all Windows system files.”
According to AppGate’s security researchers, who have obtained a sample of the malware allegedly used in the attack, the malware in question is the Sodinokibi ransomware.
“Although we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example,” the researchers said.
AppGate said the sample was collected on June 17, 2020 after it was uploaded to a public sandbox suggesting that someone fr om the company submitted the file in an attempt to understand how it works.
The sample is packed, and exhibits behavior similar to the one associated with other binaries that have been previously identified from Sodinokibi family. During the analysis the researchers were able to decrypt the configuration and access data about the ransomware, including the actor / campaign ID, and the URL provided to the victims to get instructions on how to pay the ransom.
Using the URL collected from the binary the researchers got access to the attacker’s webpage hosted on deep web. The page informed victims that they need to pay a ransom of 106,870.19 XMR (Monero) by June 19, however, as the deadline has passed the ransom amount has doubled to 215882.8 XMR (approx. $14 million). The same web page contains the information about the Sodinokibi family and provides an online chat support, wh ere the victim can interact with the attackers.
Sodinokibi is available as a RaaS (Ransomware as a Service) and is operated by a threat actor likely affiliated to "Pinchy Spider", the group behind GandCrab ransomware.
The researchers noted that the obtained Sodinokibi sample uses 32-bit and 64-bit exploits for the CVE-2018-8453 vulnerability to escalate privileges.
AppGate also pointed out that currently there is no global decryptor for the family, “which means that the attacker's private key is required to decrypt the files.”