Sodinokibi: The Crown Prince of Ransomware

21 March 2021

Sodinokibi: The Crown Prince of Ransomware

Reading Time: 2 minutes

Sodinokibi, also known as REvil (short for Ransomware Evil) is a ransomware threat group gaining more and more notoriety. Similar to some other ransomware families, REvil is what is called a Ransomware-as-a-Service (RaaS). Ransomware-as-a-Service is where a group of people maintain the code and another group, known as affiliates, spread the ransomware. Such RaaS models allow affiliates to distribute REvil ransomware in various ways, such as phishing campaigns or by uploading tools and scripts allowing them to execute the ransomware in the internal network of a victim.

Sodinokibi hacks organizations by infecting them with a file blocking virus, which encrypts files after infection and discards a ransom request message. In the message, Sodinokibi explains that the victim needs to pay a ransom in bitcoins or else the files will be leaked.

The group recently made headlines when they targeted Acer, a Taiwanese electronics company. On March 19^th 2021, Acer was the subject of a hacker attack. The attackers, who are the REvil group, demanded the biggest known ransom to date in the history of cyber-attacks – $50 million. The hackers gave Acer until the 28^{th of} March to pay the ransom, or all the stolen data will be released to the public. As of March 20^th, Acer did not acknowledge that they were the victim of a security breach.

The malware first surfaced in 2019, when it was discovered that in Oracle’s WebLogic server a serious flaw was noticed – a remote code execution bug which was remotely exploitable without authentication. This was an unusual attack from the side of the hackers, as it directly utilized the vulnerability of the server – and as researchers suggests, such attacks are typically executed with the involvement of user interactions, e.g., the act of opening an attachment to an email message or clicking on a malicious link.

Sodinokibi has subsequently targeted organizations such as celebrity law firm Grubman Shire Meiselas & Sacks, foreigner currency exchange giant Travelex, Brown Forman Corp. (the owner of the Ritz Hotel in London) and as of recently Acer.

REvil is gaining momentum and notoriety, which is evident in the way the hacking group decided to target the tech giant Acer. This cyber security breach is worth following, as the repercussions for Acer may be substantial. This unfortunate event for Acer should also serve as a reminder to all internet users that cyber security attacks keep getting more refined and complex, and that substantial security measures should always be kept in place.

References

https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/

https://www.infradata.pl/en/resources/what-is-revil-ransomware/

https://threatpost.com/revil-claims-ransomware-attacks/164739/

https://www.theverge.com/2021/3/20/22341642/acer-ransomware-microsoft-exchange-revil-security

Tagged cyber-attacks, cyber-security, data breach, hacked, Hackers

2 December 2018

50 000 Printers hacked in order to prolong PewDiePie’s number one spot on YouTube.

Reading Time: 3 minutes

Felix Kjellberg, a swedish YouTuber known as PewDiePie, is in the middle of a “YouTube subscribers war” where the prize is the number on spot considering the amount of subscribers on a channel. The war is fought between him and T-Series, an Indian media company which does bollywood music videos. Right now T-Series is the fastest growing channel on YouTube and has the number one spot regarding video views.

We’ve seen lots of posts, tweets, videos with people preaching the message of helping Felix remain the number one by subscribing to him, we’ve even had another YouTuber buy billboards to spread the message.

But this is like nothing before. Twitter user known as TheHackerGiraffe has found an exploit that enabled him to hack 50 thousand printers. First words about it came from twitter where people thought it was actually PewDiePie’s propaganda. PewDiePie took a bit of hate to the face because of this, but not enough to affect him – it’s not the first time and not the last time he gets bullied.

Because of this event the subscriber war took a twist and PewDiePie is still number one but not for long since T-Series is growing 4 times quicker. Here’s a live sub counter from YouTube provided by FlareTV

A bit about the technical side of the “hack”.

“TheHackerGiraffe scanned the Internet to find the list of vulnerable printers with port 9100 open using Shodan, a search engine for internet-connected devices and exploited them to spew out a message.

The hacker mainly uses an open-source hacking tool to exploit vulnerable printers, called Printer Exploitation Toolkit (PRET), which has been designed for testing printers against various known vulnerabilities, allowing attackers to capture or manipulate print jobs.”

The Hacker News

Apparently this is more of a trick than a hack. It’s not very complicated and it’s already been done by a hacker called Weev in 2016 in order to broaden antisemitism and by another hacker in 2017 who just printed silly drawings on around 150 000 printers.

TheHackerGiraffe in his AMA on reddit claimed that he hacked only 50 000 out of 800 000 potential printers that are still exposed to attacks. In perspective, that’s a lot of printers to be used in a bad way like phishing, blackmailing or just simply abusing it. It shows how insecure IPP/LPD printers are – especially when they’re not up-to-date. To somehow portray how easy this attack may be TheHackerGiffare wrote:

Think of it as a giant print button on the internet.

Having this power in his hands our “Friendly Giraffe” instead of abusing it he decided to help a YouTuber he liked and out of all the options he had – he decided to send the following message:

It’s a good way to raise awareness about security. This trick could have cost companies a lot of money since ink and paper doesn’t come for free. On top of that a trick like that could be pulled off by a kid and they could suffer consequences because of that. It is said that all a hacker need is your Fax number to hack your printer. At the end of the day a fun little game of a subscriber war has thought us a lesson about our security.

S:
https://thehackernews.com/2018/11/pewdiepie-printer-hack.html
https://www.zdnet.com/article/twitter-user-hacks-50000-printers-to-tell-people-to-subscribe-to-pewdiepie/
https://www.reddit.com/r/AMA/comments/a1wo96/i_hacked_50000_printers_worldwide_out_of/
twitter

Tagged hacked, pewdiepie, printers, security, subscriber, thehackergiraffe, tseries, war

9 August 2016

Bitcoin exchange Bitfinex was hacked losing $70M worth of bitcoin. It found unprecedented solution.

Reading Time: 2 minutesBitfinex is one of the most popular Hong Kong-based bitcoin exchange. On August 2^nd one of the company employees confirmed a loss of 119,756btc. This with a base price (from the time prior the hacking) of $650 USD per bitcoin converts to $ 77,841,400 USD equivalent.

After the news of the hack was published the market value of bitcoin fell down by almost 20% settling on $540 USD per bitcoin.

No information about how did it happen was released. All is known is the fact that funds in other currencies haven’t been compromised and that only some accounts lost their bitcoins while other didn’t lose any.

BitGo claims that they found no evidence of a breach to any BitGo servers.

As we directly notified our customers earlier today, our investigation has found no evidence of a breach to any BitGo servers.

— BitGo (@BitGo) August 2, 2016

The weird thing is the fact that this exchange does not have any limits on withdrawals as other exchanges. This would limit the possible losses caused by such an attack.

The company found an unprecedented solution to this situation. It was decided to spread the loss evenly between everyone who is using Bitfinex exchange. It means that customers will see on their accounts a generalized loss percentage of 36.067%.

As a compensation of the 36.067% Bitfinex will grant everyone a new token called BFX in the amount proportional to the loss of a client.

This solution was not welcomed be everyone. Especially by those who kept their savings in other currencies like USD.

The plan is to eventually rebuy the token living customers with what they had on their accounts prior the hack. The BFX token is going to be tradable on their platform allowing customers to set their value (representing how they see chances of rebuying the token really happening; I would be rather skeptical)

How do you like the solution of Bitfinex?

Would you store your bitcoins in an online wallet? (It is not the first time big amount of bitcoins disappear without a trace)

Sources:

http://www.cnbc.com/2016/08/08/bitfinex-users-set-to-lose-36-of-their-holding-in-bitcoin-hack.html

https://twitter.com/BitGo

https://www.reddit.com/r/Bitcoin/comments/4vupa6/p2shinfo_shows_movement_out_of_multisig_wallets/

https://techcrunch.com/2016/08/08/hacked-bitcoin-exchange-bitfinex-will-reduce-balances-by-36-to-distribute-losses-amongst-all-users/

Tagged Bitcoin, exchange, hacked

Kozminski Techblog

A blog on technology, run by Kozminski University students and supervised by NeRDS

Tag Archives: hacked