Ransomware Payments Are Up By 33% In Q1 2020 With Sodinokibi Leading the Pack

It seems like 2020 is going to go down in history as the year of infections. Not only is the world coping with a pandemic, but there has also been a fivefold increase in cyberattacks in the last few months. You can probably blame the astronomical increase in virtual offices and work from home policies caused by the global health crisis.

In their 2019 Cybercrime report, the Hervajec Group estimates that by 2021 there will be an accumulated loss of up to 3 trillion dollars due to cyber attacks. That’s a steep increase from 2015’s prediction of 2 trillion dollars. Hervajec believes that one of the main reasons for the sudden increase has to do with how refined cybercrime tools have become in the last couple of years.

Aside from phishing and malware, software vulnerabilities are one of the biggest risks for companies, for example, several minutes of footage from the upcoming game The Last of Us 2 got leaked online due to a vulnerability in the code of previous games.

Companies hiring outsourcing services to develop software should always be on the lookout for reputable partners, keeping an eye out for third-party developers with certifications like ISO-27001 or GDPR. Check out the following to link to see an example of a software developer who complies with both certificates: https://www.bairesdev.com/software-development-services/software-outsourcing/

Out of all the malware out there, ransomware has been catching the eye of security experts, as this method has spiked since 2018. In fact, more and more companies are going against the FBI’s recommendations and paying hackers to recover their encrypted data.

2020 has been the worst year yet as the average sum of ransom payments is up to $111,605. And while a minority of those afflicted pay the ransom, enough companies are doing it to keep hacker groups targeting large-scale enterprises.

Anoncoins and Sodinoki

One of the biggest promises with the advent of bitcoin was that people would be able to make transactions without leaving a trace on financial systems. But that doesn’t mean that bitcoin is actually anonymous: every single transaction is permanently saved and publicly available. So anyone who knows what to look for can trace transactions all over the globe.

Hackers have taken advantage of bitcoin’s relative privacy to move stolen money around but, given bitcoin’s nature, enforcers can track down those transactions and catch the cybercriminals.

Over the last decade, several cryptocurrencies, commonly known as “anoncoins”, have appeared offering what bitcoin cannot: absolute privacy. And while many people opt to work with these currencies out of security concerns, they can also be exploited by those who operate ransomware or phishing scams.

With anoncoins growing in popularity, it’s getting harder for security enforcers to follow the blockchains and catch the culprits. For example, Sodinokibi’s targeted victims are being asked to make their payments with Monero, a cryptocoin that is so “private” that, as of yet, it’s impossible to see who much money is transferred between parties.

Right now, Sodinokibi’s webpage still allows for victims to pay their ransom with bitcoins with a 10% extra fee. Experts might be able to trace the money for a while but, as soon as it hits the Monero blockchain, it’s just too difficult to follow.

Security experts fear that Sodinokibi’s success with Monero might motivate other hacker groups to make the change, which in turn may lead to more and bigger cyberattacks in the following months.

Sodinokibi 2.2

Cryptocurrency is only one side of the issue. The fact that Sodinokibi is constantly getting updated also causes concern. The Intel471 Malware Intelligence group released a blog post detailing the changes in the latest version of the Revil ransomware (Sodinokibi’s other name).

Sodinokibi has always been highly adaptable. Once it has infected a system the operator can customize the way it behaves on the host. So, for example, they can choose which files to encrypt, when to encrypt them, and what message to show the victim.

The biggest change so far is that the developers of Sodinokibi have added a function to the malware to use Windows Restart Manager to force terminate processes designed to lock files that are targeted for encryption.

If a file is being used by another process, Windows usually prevents edits to avoid problems (for example, the error message a person gets when they try to delete an opened file). Revil 2.2 shuts down the process that prevents the edit so that it may encrypt the file.

The fact that the operators are using the Windows Restart Manager’s API is both a blessing and a curse. On one hand, it means encrypted files may be easier to decrypt. But, on the other hand, more files may end up getting encrypted in the first place.

Don´t pay the ransom

Security experts have stated time and time again that the worst thing a company can do is to pay for the ransom. Instead, most firms recommend having tighter security measures at the workplace, as well as keeping regular backups of all files.

No company should have to pay for their information, especially when the alternative can be as easy as doing a fresh install on a computer.