The still young encryption Trojan has only been on the market since the end of April; it has since made a steep climb and is said to be one of the most common ransomware causing significant damage in the meantime.
The special threat: compared to previous Trojans, "SODINOKIBI" takes a back seat - often inconspicuously for local antiviruses, peeking as "sleeper" to accesses, passwords and shares in the local network.
Already well before the recognizable outbreak of the infection, the Trojan was usually already in your network, thus also infected the important back-ups and made them worthless. Backup disks (NAS) are also affected.
After that, the blackmailers demand a lot of money with high criminal energy. But there is no guarantee for the decryption.
This dynamic makes the Trojan so dangerous and is currently making many IT security providers to loose sleep. All current security strategies are under scrutiny, new structures and monitoring processes need to be established.
Possible distribution tactics
- Critical Windows Vulnerabilities
According to a BSI (the German national cybersecurity authority) press release, Microsoft has released serious vulnerabilities in Remote Desktop Services (RDS) for its Windows operating system. At least two of them are wormable. What this means: the attackers randomly create username and password combinations and try to find the right RDP access to your network. → PC CADDIE://online has installed the new Windows patches for all Netwatch customers for protection, and at the same time monitors the RDP attacks in the Cloud-Installation.
Startling: one customer's server has received 500 RDP attack attempts in the last 48 hours
- SPAM campaigns and advertising emails
The Trojan can also come across phishing emails, which are messages with hidden malicious code masquerading as important messages from known customers or business partners. The emails are perfectly adapted to the target group, for example, applications to human resources officers or reminders to accounting departments. One wrong click, and the attackers are in the system.
Fast data protection is now important
The BSI advises all Windows users to install the provided updates immediately.
The PC CADDIE://online IT administrators recommend their customers, as a protective measure, a complete mirroring of the data in the PC CADDIE://online Cloud, in addition to the local backup. At the moment this is the only alternative to access the data after such criminal encryption.
› PC CADDIE://online Newsletter | Threat of the latest generation of crypto-malware (in German)
We would like to ask all golf clubs and golf companies who have commissioned their data protection via their own IT service provider to inquire as quickly as possible how to prepared for such attacks.
Please stay alert!
We are available for any questions you might have to our IT administrators; just send us a message to support (at) pccaddie-online.de.
Our sources with information on how to protect yourself (in German):
› https://www.heise.de/security/meldung/Sodinokibi-aka-REvil-der-neue-Shooting-Star-der-Ransomware-Szene-4483691.html (last accessed on 16.08.2019)
› https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/DejaBlue-Schwachstelle_140819.html (last accessed on 16.08.2019)
› https://www.heise.de/security/meldung/Emotet-bei-Heise-Fachgespraech-zum-Schutz-vor-Cybercrime-4476253.html (last accessed on 16.08.2019)
› https://www.sueddeutsche.de/digital/ransomware-service-sodinokibi-1.4554518 (last accessed on 16.08.2019)