Experts of Kaspersky Lab discovered a ciphering virus called Sodin, which requires a ransom in bitcoins, equivalent to $ 2,500.
Sodin uses a zero-day vulnerability in Windows to escalate privileges in an infected OS, and also uses the processor’s architectural features to mask, which is rarely seen in viruses of this type.
Sodin is supposedly distributed on the black market as RAAS (extortion-as-a-service, from the English. Ransomware-as-a-Service). Usually, with such a scheme, the only key for decrypting files is at the disposal of the program’s distributors. However, the creators of Sodin left a loophole for themselves, thanks to which they have the ability to decrypt files secretly from distributors.
In addition, the attackers used the Heaven’s Gate technique, which is rare for ransomware programs, which allows executing 64-bit code on 32-bit processors. Such a solution makes it difficult for the debugger programs to analyze the malicious code and complicates the detection of this cryptographer with protective solutions.
Experts of Kaspersky Lab suggest that in most cases, methods of spreading the virus do not imply any active actions on the part of the victim. Attackers compute servers with weak protection and vulnerable software, and invisible to the victim install the encryption virus in the system.
“Ransomware viruses still remain a fairly common threat. However, this instance is quite a complicated and rare variety. Its uniqueness lies in the use of unusual technology – the launch of 64-bit code on 32-bit processors, and this greatly complicates the analysis of malicious code, as well as its detection by security solutions. According to our estimates, a lot of resources were invested in the creation of such a virus, which means that its authors are likely to want to recoup the effort. Therefore, we should expect a surge in the number of Sodin attacks, ”said a senior antivirus expert at Kaspersky Lab, Fedor Sinitsyn.
Kaspersky Lab solutions identify this virus as Trojan-Ransom.Win32.Sodin and block its activity. Vulnerability CVE-2018-8453, which exploits Sodin, previously used cybergrouping FruityArmor. A patch for this vulnerability was created on September 10, 2018.
In order to avoid infection with the Sodin coder, Kaspersky Lab experts recommend:
- ensure that the software used is regularly updated to the latest versions;
- not to open suspicious email attachments and not to follow dubious links, even if they are sent by friends;
- use reliable protective solutions;
- make regular backups of important data that you want to store separately (external storage, cloud storage, etc.).