The threat actor behind the ransomware Sodinokibi (REvil) is seeking a ransom of $14 million from the Brazilian-based electrical energy firm Light S.A.
The company has confirmed that it has been hit with a cyberattack without providing specific information about the type of compromise, but security researchers from AppGate, who have obtained a sample of the malware believed to have been used in the attack, are confident that the incident involves the Sodinokibi ransomware.
“Even though we cannot confirm that this was the exact same file used in the attack, the evidence points to being linked to the breach of Light SA, such as, for example, the ransom price,” notes AppGate.
Someone from inside the organization sent the same study to a public sandbox, possibly in an effort to “comprehend how it works,” according to the researchers.
Analysis of the configuration of the malware revealed information on the threat actor, the campaign ID, as well as the URL that the victim is asked to access for instructions.
On that website, which is hosted on the deep web, the victim is told that they will have to pay a 106,870.19 XMR (Monero) ransom by 19 June. However, the deadline has passed, and the amount doubled to 215882.8 XMR , which is $14 million.
The same web page shows information about the perpetrators, specifically stating the name of Sodinokibi, and tries to convince the victim to pay the ransom by providing complete decryption of the data concerned.
“The whole attack looks very professional, there’s even a chat service on the web page, where the victim can talk directly to the attacker,” the researchers say.
Available under the RaaS (Ransomware-as-a-Service) model, Sodinokibi is operated by a threat actor likely affiliated to “Pinchy Spider,” the group behind the GandCrab ransomware.
While investigating the malware itself, AppGate discovered that it includes functionality to escalate privileges by leveraging 32-bit and 64-bit exploits for the CVE-2018-8453 vulnerability in the Win32k component of Windows.
“Sadly the family does not have a global decryptor, which means that the private key of the intruder is required to decrypt the files,” states AppGate as well.