Sodinokibi Ransomware Now Scans Networks For PoS Systems

PoS ransomware

Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware.

Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims’ networks for credit card or point of sale (PoS) software. Researchers believe this is a new tactic designed to allow attackers to get the biggest bang for their buck – ransom payments and credit card data.

Threatpost Webinar Promotion: The Enemy Within: How Insider Threats Are ChangingThe compromise of PoS software – which is commonly installed on credit card terminals at retailer stores or restaurants – is a cybercriminal favorite for siphoning credit card information from unknowing customers. In this campaign, researchers found the Sodinokibi ransomware sniffing out PoS systems on the compromised networks of three “large” unnamed companies in the services, food, and healthcare sectors.

However, it’s not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.

“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” said Symantec researchers in a Tuesday analysis. “It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”

Steve Doherty, Symantec threat intelligence analyst, told Threatpost that the PoS scanning payload was observed being downloaded from Pastebin. It scans for processes related to PoS software, he said.

The Campaign

Before delivering the Sodinokibi ransomware, the attackers first compromised companies with the Cobalt Strike commodity malware. As part of this campaign, researchers found eight organizations with the Cobalt Strike commodity malware on their systems. Attackers would not execute the ransomware on all of these firms – only three of the eight Cobalt Strike victims were found to be additionally infected by the Sodinokibi ransomware.

“Cobalt Strike is leveraged by the attackers in the earlier stages of the attack,” Doherty told Threatpost. “Once they have performed lateral traverse and obtained privileged credentials, they would then be in a position to deploy Sodinokibi. It’s also possible that they only deployed Sodinokibi onto networks of organizations that would be in a position to pay the ransom.”

Cobalt Strike is an off-the-shelf tool that can be used to load shellcode onto compromised systems, said researchers. It has legitimate uses as a penetration testing tool but is frequently exploited by malicious actors, they said. Cobalt Strike attacks typically begin by exploiting vulnerable network devices or launching brute-force attacks on Remote Desktop Protocol (RDP) servers. Researchers believe that these initial infection tactics were also utilized in this most recent campaign.

After initially infecting the companies, the attackers then utilized living-off-the-land tactics, where legitimate tools are used to avoid detection. For instance, researchers observed attackers using a legitimate remote admin client tool by NetSupport Ltd, which was used to install components during the campaign. They also used encoded PowerShell commands, which is a legitimate Windows command line tool that is frequently abused by malicious actors.

“The attackers in this campaign also use ‘legitimate’ infrastructure to store their payload and for their command and control (C&C) server,” said researchers. “The attackers are using code-hosting service Pastebin to host their payload (the Cobalt Strike malware and Sodinokibi) and are using Amazon’s CloudFront service for their C&C infrastructure, to communicate with victim machines.”

The attackers then used Cobalt Strike to perform credential theft on their targets’ machines. They were also observed adding their own fake user accounts, which researchers believe is an attempt to maintain persistence on systems and to keep a low profile on networks.

“Once on a network, the attackers take various steps to reduce the chance they will be detected and to increase the chances of their attack working,” said researchers. “The attackers attempt to disable any security software on the machine so their activity can’t be detected. They also enable remote desktop connections so they can use them to launch malicious commands.”


On certain companies, the attacker would then download the Sodinokibi ransomware. Using this ransomware they would then encrypt the victim’s data and request a ransom of $50,000 in the Monero cryptocurrency, in exchange for decrypting the data. If companies don’t pay within the first three hours, the ransom is increased to $100,000.

Sodinokibi (aka REvil) first appeared in April 2019 and has since appeared in several high-profile cyberattacks, such as one earlier in January that targeted Travelex and another that targeted a popular law firm that works with several A-list celebrities. Sodinokibi is thought to operate as a ransomware-as-a-service (RaaS), where one group maintains the code and rents it out to other groups, known as affiliates, who carry out attacks and spread the ransomware. Any profits made are then split between the affiliates and the original gang, said researchers.

In this particular campaign, the two food and services companies targeted in this campaign were primarily multinational companies, which researchers say were likely targeted because the attackers believed they would be willing to pay a large ransom to recover access to their systems. The third organization was a healthcare firm, which appeared to have been a smaller operation.

“Interestingly, this victim’s systems were also scanned by the attackers for PoS software,” said researchers. “It may be that the attackers realized this business might not be in a position to pay the large ransoms usually demanded in a Sodinokibi attack, and so scanned for PoS software to determine if they could profit from the compromise in another way, or they may have been scanning for this kind of software simply to encrypt it too.”

Threatpost has also reached out to Symantec researchers regarding how the scanning occurs – whether it’s done via a particular module deployed by the ransomware, or otherwise.  Regardless of the reasons behind the PoS scanning, researchers say that the campaign points to continual Sodinokibi activity.

“One thing that is clear is the actors using Sodinokibi are sophisticated and skilled and show no sign that their activity is likely to decrease anytime soon,” said researchers. “The companies targeted with this ransomware tend to be large corporate organizations, so companies like this need to be aware of the threat posed by this kind of activity.”

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles