Rewterz

Rewterz Threat Alert – Anchor Malware Targets Point-of-Sale Infrastructure

January 7, 2020
Rewterz

Rewterz Threat Alert – 3rd Party Tools and Windows 10 Apps Killed by Clop Ransomware

January 8, 2020

Rewterz Threat Alert – Sodinokibi Ransomware aka REvil Encrypting Files

Severity

High

Analysis Summary

Sodinokibi ransomware was found infecting systems via Microsoft Office documents. After encryption, the following ransom note is found on infected systems. 

image-1578397927.png

The ransomware demands a ransom of $850k or $1.7m for decrypting the files on target system, as below.

image-1578398033.png

Impact

  • Files Encryption
  • Information Disclosure

Indicators of Compromise

MD5

  • 4903f3effb98da65c49bb9591c16615d
  • 3ad4c27f8d0e7135f401474811bd9b25
  • 853ab7bdeecf03306178f4af40eff694
  • b4fe61c29e23014fdab44ad0d8df1d2d
  • 395015986431f15f5bfd25aa1966ccb0
  • 27c8b1cb19c4f6df337dff38ab1f3592
  • 85de4dc5e49dbafcf3da67434f013733
  • a63cdd7c9362540da0fc61db193f9a93
  • 6a85fe97ccaa29d09e5df824d4eaad59
  • 8b24ea434d60f99e1ff50810fb8d28da
  • d8e850611733076fc9d523b586e76ff7
  • f45b3caa097afbdd50358ede4042a88f
  • 6640d80b412edfbdd836a5c3808a7748
  • 722e15d85827d3ac13e56e8108688012
  • 9d78f811a13af1cee9ee635a9dd3f10a
  • 1ebf922138d1d821c11bac32b63d3b2d
  • c932f03098bcfea3f7a6c7bf11c0d653
  • 6bf8720c0741f11219f38e747392b73e
  • c37804708ee284575f87bd0e365be9d9
  • 3846bbbb0efc50218aedd4a4ef3d877a
  • f7f3fd2b59b0979bb7c8265122547f9a
  • b64f01f8a72ec9c9670909b4ce1a9b4f
  • c12c84d72868e4c4be6af913d62da2bb
  • 4fe625f696602d23e0c1129ee8c609c9
  • 579ebea24bc90cf01b7ba3e6c376f06b
  • 6df070be3d54fb2f6eb4ac1a3415857b

SHA-256

  • 42996516b6604ba136ff909d9b59d2a676a72eaafa30c729cdfaddd96b20fc83
  • 2011f4ed15d6ad002670fdfe8fffc2fbd7cff4c8e7bd9d16746f9884a79a24b1
  • 5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508
  • 12bb06bc5da9d7f24634bb37a809ad69896c2eb47b7957846124fe09fbf573bf
  • 0e468c960706b3f4181f54a35650b8edbd0960785dda89a72cdd1e5d600f188b
  • 9a253acfa25c1feefe603a9b8060d997c34aa110f0d1811005eb1f5ca28d2795
  • 7549bc8a7c896dae3f1026dfeeba7d4e0990b896e8715cef55f88763b2aa3908
  • ba68f6b7d0be7f6abcbd6679627ed61fac0d0044f05ddbca38b564f1b27bef48
  • c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9
  • 5bfb1237443e270d7297a9bb2d4cc44cbc4f3ad0f71db00012a4cc0ae461e6d2
  • b7e7878b4f87f1b29fb3c7002d90196c69bffe1eb70ae08d2563b79e1bc41a06
  • 9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148
  • a4b205d9ebfe4b6b08f4ead27a79aea247215df4463f9e95c9cfe1db7b30b02a
  • 578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1
  • b7b136e1efb27c05f80163b6ba73575b4430d7326b07cb629d23794f0049c1a6
  • 68a35bd6540394cd28a8c8271dbf2befc4a839aa53d1ba28f9ed81f411a09c01
  • 515e79a2813ecc480d47480275b18426e281d77488ac2dce669f00dc41d4b6ce
  • 1e1589de70ea7ebad976aa1c1ebdb32e0695ee268aa5f7f8ac834ed3960a4803
  • d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec
  • 4c15a0bfdc8af00dd509aa990c2d7926ee7c714da88a767ee7f4e5276094de6d
  • bb7707d5672a409d7b69356ca1f2ed947bc5c76a683431c8b636e60845fa17ed
  • 4d7bb7fc137d4e4db98835612daa8e4f36b365dad71bd5c763521d7e8a29915a
  • f4e2cf1a788a104226e6c577ad19c8570624371f8563a3ec0e9cb43501c18665
  • 9bc861c341955bbbb8ac281b7195ee238b068981b7212375c93e6e4cd5ff2a04
  • 830a8208fe916dabfc1ee63c3e889d8277fbae954a9b00d64b2c920e1d9a2536
  • a49fe8df263baded151476232daafd20122f7a66325c2fc6395c965296a8d746

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files from random sources on the internet.
  • Do not download files attached in emails coming from untrusted sources.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.