Client advisory: Sodinokibi ransomware attacks on the rise

The CFC Incident Response Team has very recently seen a number of incidents where the ransomware variant known as ‘Sodinokibi’ has infected managed service providers (MSP).

Cyber Advisory 2 min 6 Jul, 2019

Our Incident Response Team has reported that nearly a quarter of the ransomware attacks the team has dealt with since 1 June have come from Sodinokibi. Some experts believe that this variant was created by the same group that developed GandCrab ransomware, which brought in around £1.6 billion in extortion payments. 

This advisory serves as a reminder to our policyholders who use a managed service provider to ensure that they make offsite and off-network backups as well as keeping systems updated with the latest security patches, which is in line with good practice regardless. We also would like to encourage these policyholders to contact their MSP to confirm that they have patched their systems against this vulnerability.

Ensure that you are making offsite and off-network backups as well as keeping systems updated with the latest security patches, which is in line with good practice regardless. James Maass, Cyber Incident Specialist

This particular variant of ransomware exploits CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This is particularly dangerous as it allows remote code execution without the need for a username or password. The severity of the problem has prompted Oracle to issue a patch outside of its usual patch cycle, and Oracle has strongly recommended that customers apply patches urgently.
 
For those of our customers who are managed service providers themselves, links to critical patches are contained within the security alert advisory link from Oracle here. Please also ensure that any remote management and monitoring tools are also fully patched, have strong complex passwords and utilize multi-factor authentication.