Cybersecurity
Sodin Ransomware Attacks
We have seen an increase in threat activity in the Lower Hudson region with Sodin Ransomware targeting local districts. As a result of this activity we feel it is important to make districts aware so we can all be proactive and guard against this malicious activity. If you have questions or need further assistance, please contact your Account Manager.
The recent Sodin ransomware attacks could have initially been introduced to the network via a number of pathways (spearfishing email, insecure network configuration, compromised network credentials, etc). What’s clear about this particular ransomware variant is that after it gains entry to a network, it exploits a vulnerability as identified in CVE-2018-8453 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453. This vulnerability can be present on unpatched versions of Windows versions 7, 8.1, 10 and Server 2008, 2012, 2016, and 2019.
The end result of an infection with this Ransomware is that all files that can be accessed on an affected system will become encrypted, including all user files, all operating system files, and in some cases the hard drive partition table. This causes data to become unrecoverable, and renders the affected systems inoperative. In each directory that’s encrypted, a text file is left behind that begins with the following:
--------------------------------------------------------
---=== Wecome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8680v.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
--------------------------------------------------------
At this time there is no known decryption tool to recover the encrypted data.
Prevention / Mitigation:
- Ensure that all Windows systems have been patched with the latest security updates from Microsoft. The particular patches required to prevent this infection were released by Microsoft on October 9th, 2018, and are available for download at the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453 (bottom of page)
- Ensure that antivirus protection is installed and updated on all systems. Sophos Intercept-X has been demonstrated to both detect and prevent this type of infection, though it should be noted that the exploit results in a privilege escalation that means the attacker will have the highest possible privileges and can affect changes that may not be blocked by any antivirus software.
- Ensure that all systems are backed up to external media (preferably offsite) and are restorable. Once encrypted, the files cannot be decrypted without the private key the attacker holds. If the files are backed up, they can be recovered.
- Limit external access to your network. Ensure that any external access that’s required is using secure encryption methods like current SSL certificates or VPN. Common examples of systems that might be opened to the internet for external access are: Remote Desktop or Virtual Desktop systems, Email Servers, Security Camera Systems, HVAC Systems, etc.
For more technical information on the Sodin ransomware variant and the vulnerability it exploits, see:https://securelist.com/sodin-ransomware/91473/