An Arizona small business was recently infected with Sodinokibi ransom ware. At this time, we're unsure of the initial threat vector (in general, email/phishing is the greatest risk). It appears the attacker gained network access and performed reconnaissance, as the business' IT guy tried to negotiate the ransom with the attacker. The attacker responded that the business could pay a larger ransom and named some of the network connected devices. The business did not pay ransom (as we always advise).
Note that I'm hearing more reports of small businesses around the country getting hit with ransom ware (source is the National Fusion Center Association's Cyber Intel Network).
Please continue to educate your employees to verify email requests (and to not click). I'll share more information and any indicators of compromise that I receive.
I also want to thank the business for posting the tip to notify the ACTIC about the incident (see instructions below). Sharing information from their incident may help protect other Arizona entities.
As always, please patch promptly. Sodinokibi ransom ware elevates its privileges on a victim machine by exploiting the the vulnerability, CVE-2018-8453 on Windows 7 through 10 and Server editions. A Sodinokibi campaign has targeted managed and cloud service providers. Also, evidence suggests that the bad guys behind GandCrab ransom ware are behind a Revil / Sodin / Sodinokibi ransomware-as-a-service offering (which may be why more small businesses are getting attacked).
Do you know what’s in your cyber insurance policy? Here’s a good, short article with four tips from an attorney. And when you’re negotiating with your insurance carrier, please ensure any non-disclosure clause allows you to share (anonymous) indicators of compromise from your incident!
The Arizona Counter Terrorism Information Center (ACTIC) and Urban Area Security Initiative issue this product to increase Arizona’s awareness and cyber resilience. It’s up to you to make sure you take the proper steps to secure your networks and devices. Although vendors, products, and/or services may be mentioned, we do not endorse any specific one.
Contact [email protected] with any questions, to provide feedback, or to be added/removed from this distribution. Please note that this email address is not monitored 24x7.
Report potential, suspected, and/or confirmed cyber threats to the ACTIC via: