Cybersecurity Threat Advisory 008-20: Sodinokibi Ransomware
We have previously issued advisories on Sodinokibi Ransomware in Threat Advisory 0034-19 and Threat Advisory 0021-19. The same strand recently hit a Colorado Based MSP Synoptek and the foreign currency exchange Travelex. Sodinokibi has been particularly damaging and warrants extra ransomware precautions. Refer to the recommendations section below for actionable changes such as turning off macros in Microsoft Office and instituting strong email and endpoint protection software.
Technical detail and additional information
What is the threat?
Ransomware is a form of malware designed to disrupt system services by infecting a device, encrypting critical information, and compromising the network by propagating to other devices. Victims are forced to pay a ransom fee to the owners of the malware in order to decrypt their files and remove the infection. The Sodinokibi strain is particularly dangerous because it is difficult to detect. Most antivirus vendors do not flag the initial attack payload as malicious.
Why is this noteworthy?
Synoptek is not the only IT provider to be hit with Sodinokibi. Earlier in the month the IT service company Complete Technology Solutions was infected with the malware strain. The IT provider PercSoft was also hit with the ransomware back in August. The creators of the malware have also raised the stakes by announcing that they plan on releasing stolen data from companies who try to avoid paying the ransom. This could potentially result in widespread data leaks and unauthorized access to confidential company information.
What is the exposure or risk?
Synoptek issued the following statement:
“On Dec. 23, we experienced a credential compromise which has been contained. We took immediate action and have been working diligently with customers to remediate the situation. We are 100 percent focused on assuring all customer impact is identified and resolved at this time”
Synoptek has over 1,000 customers that could potentially be at risk of having their information exposed. Since Synoptek has taken the proactive action of paying the ransom they have likely mitigated this risk. Despite this, ransomware infections should remain at the top of the list of concerns for any MSP. These infections not only put the services of the provider at risk, they also threaten all their clients’ networks and personal information.
What are the recommendations?
- Ensure that users have strong and complex passwords in place.
- Provide security awareness training to users to spot phishing emails.
- Utilize a strong next-gen endpoint protection that blocks malware such as SKOUT Endpoint Protection.
- Utilize email protection service that can spot malicious emails and attachment before users interact with it such as SKOUT Email Protection.
- Ensure users have the least amount of privileges on their accounts.
- Turn off macros in Microsoft Office. Documents that require macros should never be received through email.
- Use a trusted web proxy, this will typically block connections attempting to be made to malware command and control (CnC) servers.
- Make sure your system is kept up to date with the latest patches and updates.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.