Hackers use fake BSI emails to deliver Sodinokibi ransomware

Sodinokibi ransomware devs started a new malspam campaign: phishing emails sent in the name of national German cybersecurity agency BSI

False BSI emails used for delivering Sodinokibi ransomwareHackers misusing the name of German BSI to spread Sodinokibi ransomware via email spam

A dangerous file-locking and ransom-demanding computer virus named Sodinokibi ransomware[1] has been lately spotted in the wild. Its grand entry was enormous, and it is believed to be the second major malware family of the notorious hacking group behind the already-retired GandCrab.[2]

Although Sodinokibi ransomware has already been actively distributed via exploits and software vulnerabilities, hackers have found ways to push the malware through email spam messages in the name of the national cybersecurity body BSI.

BSI-issued warning[3] claims that sender address of the phishing email is meldung@bsi-bund.org, and warns users about a completely fake data breach. To avoid being a victim of Sodinokibi ransomware developers, users should pay close attention to the Sender address (the original is bsi.bunde.de, not bsi-bund.org), and never open the attachments or click on links inside.

The malicious payload comes inside a ZIP file attachment

Getting a phishing message from threat actors is something that anyone can experience: all it takes is a data breach that leaked personal information previously. The harvested emails are then sold on the underground hacking forums. Thus, anyone can become a target.

Those unlucky ones who receive the fake email will see the following bogus message (the note has been translated to English, but its original version is written in the German language):

Subject: Warning message of compromised user data – Federal Office for Information Security
Dear Sirs and Madames,
The European Cybersecurity Act entered into force on 27 June 2019. Since then, the Federal Office for Information Security has been obliged to inform you about possible misuse of your data.
On July 14, 2019, several vulnerabilities were found on high-traffic websites, which led to the loss of personal information. After careful analysis of the datasets available to us, we can say that your data is part of this dataset, so we advise you to immediately change compromised passwords.

The malicious attachment that installs Sodinokibi ransomware comes in the form of a ZIP file. Once opened, the user will be prompted to open another file – an obfuscated PDF document, which, once executed, will use an HTA file via the PowerShell commands to connect to a remote server, where the malicious payload will be downloaded and executed on the machine.

Moreover, a specific technique, known as LotL (Living off the Land)[4] opens the HTA file and also allows Sodinokibi ransomware to avoid anti-malware detection by activating the mshta.exe process.

Sodinokibi ransomware has left its traces during the last few months

Sodinokibi ransomware and its activities have been reported in numerous news outlets since its discovery in April.[5] Sadly, this dangerous cyber threat is not on its own. It also has other siblings known as REvil and Sodin – new variants of malware that carry the same purpose of encrypting documents/files and urging for a high ransom price.

Sodinokibi is most likely a work of GandCrab developers – those claimed to retire recently. However, it is highly unlikely that such a successful cybercriminal group would simply leave the lucrative cybercrime business. The latter malware was one of the most successful ransomware families in history, and cybersecurity experts believe that Sodinokibi campaigns will only be expanded more in the future.

Once Sodinokibi virus is installed on the system, it launches unique encryption ciphers and locks all data found on the local hard drive, as well as networked drives. Soon after that, the file-marker-HOW-TO-DECRYPT.txt message is passed to the victims and appears with its high ransom demands – crooks ask between $2,000 and $5,000.

Sadly, no decryption tool for Sodinokibi ransomware has been discovered yet. Besides, the threat is capable of launching a module which permanently erases shadow copies of blocked data that complicates the entire decryption process for victims. If ever dealing with this malware, do not pay cybercriminals and rather focus on alternative data recovery methods or wait for the decryption tool to be created by cybersecurity researchers.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions