The Sodinokibi ransomware is looking to increase its privileges on a victim machine by exploiting a vulnerability in the Win32k component present on Windows 7 through 10 and Server editions.

The file-encrypting malware stepped into the limelight in April when it started to exploit a critical vulnerability in Oracle WebLogic.

Global spread

Sodinokibi, a.k.a. REvil, also exploits CVE-2018-8453, security researchers found, a vulnerability discovered and reported by Kaspersky, that Microsoft patched in October 2018.

Kaspersky uses the name Sodin to refer to this strain of ransomware and telemetry data shows detections in small areas on the globe, most of them recorded in the Asia-Pacific region: Taiwan (17.56%), Hong Kong, and South Korea (8.78%).

Other countries where Sodinokibi was detected are Japan (8.05%), Germany (8.05%), Italy (5.12%), Spain (4.88%), Vietnam (2.93), the U.S. (2.44%), and Malaysia (2.20%).

In a technical analysis on Wednesday, Kaspersky details how the malware manages to achieve SYSTEM privileges and describes how it functions.

"Stored in encrypted form in the body of each Sodin sample is a configuration block containing the settings and data required for the Trojan to work."

The configuration code includes fields for the public key, ID numbers for the campaign and the distributor, for overwriting data, file extensions that should not be encrypted, names of the processes it should kill, command and control server addresses, ransom note template, and one for using an exploit to get higher privileges on the machine.

Two separate encryptions for the private key

The Sodinokibi sample analyzed by Kaspersky uses a hybrid scheme to encrypt data, meaning that it applies symmetric encryption (Salsa20) for the files and elliptic curve asymmetric encryption for the keys.

The researchers found that the ransomware stores in the registry both the public key - which encrypts the data, and the private key for decrypting the files.

"When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key."

One peculiarity noticed by the researchers is that the private key is also encrypted with a second public key, which is encoded in the malware; the result is also saved in the registry.

The malware authors may have done this on purpose, so they can also decrypt the data, not just the operator that spreads Sodinokibi. It could be a precaution if the distributor disappears, or a way to get a larger cut of the profits.

After encrypting the files, Sodinokibi appends a random extension that is different for each computer it infects. Both the key and the extension need to be entered on a website set up by the cybercriminals specifically for showing victims how much they have to pay to get their files back.

The malware discriminates between targets and terminates on computers with keyboard layouts specific to certain countries: Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Moldova, Uzbekistan, and Syria.