THREAT RESEARCH BLOG POST
July 9, 2019 | | David Cohen
- Sodin is a new ransomware that spreads and operates using known vulnerabilities.
- CyberArk Labs tested prevention tactics on Sodin over the weekend and found that using Endpoint Privilege Manager to enforce least privilege on endpoints and application greylisting control was 100 percent effective in preventing Sodin from encrypting files even with the highest privileges.
Sodin, a new ransomware that encrypts data and deletes shadow copy backups, appeared in the first half of 2019 and is actively spreading through Asia.
What sets it apart is the usage of three known vulnerabilities: In order to spread, the malware uses the Oracle WebLogic server vulnerability – CVE-2019-2725 – allowing it to run PowerShell commands and act as a dropper to the server. During the attack, Sodin uses MSP (a.k.a managed service provider) vulnerabilities, which allow the attacker to connect remotely with high privileges to the victim’s computer. Moreover, it uses another Windows vulnerability  (CVE-2018-8453) in order to escalate privileges on the machine.
Sodin’s authors focused all of their efforts on encrypting data and demanding a ransom.
CyberArk Labs tested Sodin ransomware and the result is clear. Sodin can’t break through Endpoint Privilege Manager’s features set, a combination of least privilege, credential theft protection and application control policies on endpoints and servers. To date, our labs have tested more than 1.2 million ransomware samples in order to better understand common infection, encryption and removal characteristics.
This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications as potentially suspicious and protects information accordingly. This prevents one infected end-point from causing an organizational pandemic.
This attack should serve as a reminder that back-ups alone are no longer enough to protect against data loss, especially if organizations are exposing privileged credentials to attackers. This means organizations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit the damage.