Since its discovery of Sodinokibi ransomware last April, cybercriminals have reportedly been attempting to infect networks with the malicious encryption program through a growing number of vectors, including supply chain attacks, spam, and malvertisements that redirect victims to an exploit kit.
Sodinokibi encrypts data found in the user directory and prevents data recovery by leveraging the Microsoft Windows vssadmin.exe utility to delete any “shadow copies.” When first uncovered by researchers at Cisco’s Talos division, it was observed spreading via a remotely exploitable vulnerability in the Oracle WebLogic Server.
But in the ensuing two months, Sodinokibi affiliates began spreading the ransomware in a wide variety of manners. Just last week, ZDNet reported that attackers were compromising managed service providers to attack their clients with the ransomware via a supply chain attack.
And Bleeping Computer reported that the malicious actors are similarly compromising software distribution websites to infect their site visitors.
Italian cybersecurity firm TG Soft told the news outlet that a distributor for WinRar in Italy was one such victimized website.
The ransomware attacks executed through MSPs were first reported by users on the r.msp Reddit, who warned that adversaries were accessing MSP networks via Remote Desktop Services and then pushing the ransomware to client endpoints using various management consoles such as Webroot, Kaseya and ConnectWise. (The news reports also received similar intel from Kyle Hanslovan, CEO of Huntress Labs.)
Bleeping Computer also detailed a new phishing campaign, discovered by TG Soft, which sent potential victims spam emails impersonating travel website Booking.com. The emails contained a malicious Word document attachment that would download Sodinokibi from a remote site if the recipient enabled its embedded macros.
And in a follow-up story just yesterday, Bleeping Computer cited a warning from exploit kit researcher nao_sec, who discovered that Sodinokibi was also being distributed via malvertisements
on the PopCash ad network that redirect to the RIG exploit kit.