Introduction & Research
A ransomware group called REvil, also known as Sodinokibi, is a well-known hacking group
across the dark web. They have gained momentum in the past years by ransoming off sensitive
data from companies like Pierre Fabre, The Dairy Farm Group, law firm Grubman Shire Meiselas
& Sacks and recently the Apple product supplier, Quanta Computer Inc. (Kessem, 2021). During
all these attacks, REvil asked for a minimum of 25 million dollars to get their data back
(Mehrotra, 2021). The case with Quanta is similar except, they asked for 50 million and
declaring this attack as their “largest attack ever” (Mehrotra, 2021).
The attack itself would have taken place before April 20th. We know this information because it
is on multiple sources and each one state that the group began posting the stolen images on
the 20th (Gartenburg, 2021). April 20th is significant for Apple because that was the date of their
“Spring Loaded” event where they show off their new incoming releases. These images
included engineering and manufacturing schematics of current and future products of Quanta
(Gartenburg, 2021). Of all of the images stolen, there was one specifically that was signed by
Apple designer, John Andreadis and dated March 9, 2021 (Kessem, 2021). This helped verify the
authenticity of these images and show that these were recent and not old schematics of past
devices. If Quanta did not pay by May 1st, threating to continue to post new files every day until
the ransom is payed. Not only are they losing images and schematics, but their ability to do
business. This causes many other problems like losses in profit, angry partners/customers, and
very bad attention from the press. The attack not only directly affects Quanta, but indirectly
effects a lot of large companies like HP Inc., Facebook Inc. and Google who also use Quanta to
supply their products (Mehrotra, 2021).
Threat Identification
The attack on Quanta was an active, ransomware attack. Ransomware falls under the branch of
malware attacks. To be even more specific it is an example of a Ransomware-as-a-Service
(RaaS) (Dinu, 2021). This involves two separate groups that work together for the hack: the
code authors who develop the ransomware and the affiliates that spread it and collect the
ransom. Ransomware itself is malware that employs encryption to hold a victim’s information
at ransom (McAfee, 2021). This applies to this attack because the data was encrypted, and
some images and schematics were stolen by the attackers. The only way to get it back is by
knowing the decryption key which is guarded by a ransom price, which in this case was a very
large ransom price
.
Network Component
The Sodinokibi attack begins by targeting a specific user account within a network. Two of the
most common ways for this malware to enter the system is by a brute force attack or through
phishing emails (Dinu, 2021). Once in, it exploits an Oracle WebLogic Vulnerability (CVE-20192725) to gain access to the computer (Tiwari & Koshelev, n.d.). This is where it differentiates
between an endpoint and network attack. Rather than staying at this one computer, the
malware can move laterally through the transport service of WebLogic Server to other
endpoints without needing the credentials to do so (Cooper, 2021). The goal is to get into
Quanta’s internal network system by first penetrating through an endpoint like an individual
computer. It will then search through the network looking for vulnerabilities pertaining to
administrative access. Once this is found, the real damage can be done. By going through the
perimeter security and having administrative privileges, it makes the process of infecting the
whole network much easier and near impossible to stop. With enough time, the malware will
have the entire network either encrypted or stolen.
Improvements
A system can always be improved to make it as secure as possible. The layered security
approach would be ideal to try and defend against ransomware. It also needs to be proactive
where steps are taken to prevent attacks before they occur. An Intrusion Detection System
could be added to help indicate an attempted intrusion (Easttom, 2018). Access control plays a
large part, because once the virus has administrative control, the system is compromised
(Easttom, 2018). Doing a sweep of the network and checking to make sure only IT specialists
have admin controls could save your network or at least delay the attack.
It is key to approach the securing process from multiple angles like education-related advice
and technology-related advice (Dinu, 2021). Education includes backing up your data and
training your employees (Dinu, 2021). Always be in the habit of backing up important data.
Store it both online and offline to add another layer of security. This is something where you
don’t really think about it until it’s too late. Training employees plays a vital role especially in
the world of ransomware. Phishing attacks is one of the most common ways to spread
ransomware, and this normally happens when someone on the network clicks a malicious link.
Cybersecurity is an on-going process and one way of helping this is by keeping the system up to
date. A lot of updates to devices or software are made to fix vulnerabilities, so by not updating
the system you are leaving your network vulnerable. Email protection gateways may also prove
very helpful when defending against ransomware (Dinu, 2021). There are plenty of email
protections services that will help add that extra layer of security if a malicious email finds a
way through the perimeter security. Really solid antivirus software is a must. Sodinokibi is very
well written and avoids detection by traditional antivirus systems (Cooper, 2021). Ransomware
is evolving quickly and the more layers of security a company can provide the better off they
will be. A final note here is that if your network does not run Oracle WebLogic Server, then you
will not need to worry about this version of ransomware (Cooper, 2021).
References
Cooper, S. (2021, July 18). What is Sodinokibi ransomware & how to protect against it.
Comparitech. Retrieved January 24, 2022, from https://www.comparitech.com/netadmin/sodinokibi-ransomware/
Dinu, C. (2021, December 10). Revil/Sodinokibi ransomware: Origin, Victims, Prevention
Strategies. Heimdal Security Blog. Retrieved January 23, 2022, from
https://heimdalsecurity.com/blog/sodinokibi-ransomware-101/
Easttom, C. (2018). Network defense and countermeasures: Principles and practices. Pearson
Education.
Gartenberg, C. (2021, April 21). Apple targeted in $50 million ransomware attack resulting in
unprecedented schematic leaks. The Verge. Retrieved January 23, 2022, from
https://www.theverge.com/2021/4/21/22396283/apple-schematics-leak-ransomwarequanta-supplier-leak
Kessem, L. (2021, April 28). The sodinokibi chronicles: A (r)evil cybercrime gang disrupting
organizations for trade secrets and cash. Security Intelligence. Retrieved January 23,
2022, from https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupttrade-secrets/
McAfee. (n.d.). What is Ransomware? McAfee. Retrieved January 24, 2022, from
https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware.html
Mehrotra, K. (2021, April 21). Apple Targeted in $50 Million Ransomware Hack of Supplier
Quanta. Bloomberg.com. Retrieved January 23, 2022, from
https://www.bloomberg.com/news/articles/2021-04-21/apple-targeted-in-50-millionransomware-hack-of-supplier-quanta
Tiwari, R., & Koshelev, A. (n.d.). Taking deep dive into Sodinokibi ransomware. Acronis.com.
Retrieved January 23, 2022, from https://www.acronis.com/en-us/articles/sodinokibiransomware/#:~:text=Sodinokibi%20ransomware%20exploits%20an%20Oracle,the%20sy
stem%20without%20any%20restriction.