Sodinokibi ransomware is exploiting Windows vulnerability to get elevated privileges

Ransomware Sodinokibi (also known as Sodin or REvil) used an old Windows zero-day vulnerability (CVE-2018-8453) to improve management access to infected hosts. In October 2018, Microsoft fixed the vulnerability. Since August 2018, the vulnerability has been used by a hacker group, FruityArmor.

Image: Kaspersky

Kaspersky’s security researchers say the ransomware exploits privilege escalation vulnerabilities, and most ransomware does not typically use this technique. Security researcher wrote, “We expect a rise in the number of attacks involving the Sodin encryptor since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect if to pay off handsomely”

There is also a “master key” in the Sodin code as a back door to the encryption process. Sodin creators can use this backdoor to decrypt computer-encrypted files. Researchers believe that Sodinokibi is distributed through ransomware-as-a-service (RaaS). Security researchers believe that Sodin may become the next big threat in the field of ransomware. The rise of Sodinokibi comes at a time when GandCrab ransomware officially closes all businesses, so many people regard Sodinokibi as the development of GandCrab and believe that the two ransomware is developed by the same group of people.