LTS Secure Warning: Everything You Need To Know About Sodinokibi Ransomware

A recently disclosed remote code execution (RCE) vulnerability which impacts the server using Oracle WebLogic, is being exploited by hackers in the wild to deploy a new variant of ransomware dubbed as “Sodinokibi.”

The vulnerability affects Oracle WebLogic Server, which have version the following version:

  • 10.3.6.0
  • 12.1.3.0

Sodinokibi Ransomware has been assigned a CVSS score of 9.8.


Technical Details

The Vulnerability allows the attackers to remotely execute code, given that he has HTTP access to the Oracle WebLogic server. After which the attackers performs a HTTP POST requests, which exploits the vulnerability in order to execute commands. Once the vulnerability is successfully exploited, the attackers use PowerShell and certutil commands to download an executable from a remote server and then execute it with the help of cmd. The downloaded executable is a new variant of ransomware dubbed as “Sodinokibi.”

Sodinokibi, like every other ransomware out there is designed to encrypt all the files on the victim devices, as well deletes the shadow copy backup from infected system to make sure that victim has no choice but to pay the ransom.

Once dropped, the ransomware activates itself and begins to encrypt the victim’s device and leaves a ransom note, demanding the victim to pay upto $2,500 in Bitcoin. If not paid within the specified time range, then the amount doubles.

 

Impact

  • Loss of  Productivity
  • Downtime in Business Critical operations
  • Damage of hostage systems, data, and files

 

Recommended Actions

  • Ensure that you have updated your WebLogic with the latest patch.
  • Restrict external access to the (/_async/* and /wls-wsat/*) URL paths with the help of access policy control.
  • Accounts that are used to run the WebLogic process must have restricted access.
  • Make a Disaster Recovery Plan (DRP) and make sure that it includes maintaining and testing of data backups and recovery.