Kaspersky researchers have uncovered a new encryption ransomware named Sodin which exploits a recently discovered zero-day Windows vulnerability to gain elevated privileges in an infected system and take advantage of the architecture of the Central Processing Unit (CPU) to avoid detection. This highly specialized functionality is not often seen in ransomware attacks and can be planted onto vulnerable servers by the attackers requiring no user interaction.
The malware appears to be part of a ransomware-as-a-service (RAAS) scheme which allows distributers to choose the way in which the encryptor propagates. From the research conducted, it appears the malware is being distributed through an affiliate program in which the creators have access to a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing; a ‘master key’ that doesn’t require a distributor’s key for decryption. This added feature is suspected to be used by the developers to control the decryption of victim data as well as the distribution of the ransomware by cutting certain distributors out of the affiliate program by making the malware useless.
Additionally, Sodin’s malware was built to instinctively locate vulnerable servers and send a command to download a malicious file called “radm.exe.” which would then save the ransomware to the server and execute it locally. The ransomware note left on infected PCs demands $2,500 (USD) worth of Bitcoin from each victim.
Sodin’s sophisticated design makes it even more difficult to detect as it uses the intricate “Heaven’s Gate” technique, which is not often found in ransomware attacks as it allows a malicious program to execute 64-bit code from a 32-bit running process.
Kaspersky researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons:
· To make the analysis of the malicious code more difficult to detect as not all code examiners support this technique and therefore are unable to recognize it.
· To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that emulates a real computer.
The majority of Sodin ransomware targets were found in Asia: 17.6% of attacks have been detected in Taiwan, 9.8% in Hong Kong and 8.8% in the Republic of Korea. Additional attacks have also been observed in Europe, North America and Latin America.
Fedor Sinitsyn from Kaspersky said that ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version that uses the CPU architecture to fly under the radar. Apparently they expect to see a rise in the number of attacks involving the Sodin encryptor since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect if to pay off handsomely.