Discover and read the best of Twitter Threads about #Sodinokibi

Most recents (2)

In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
A #Sodinokibi campaign broke out last week using "Outstanding statement" emails in the Chinese language, with the ransomware itself inside a .zip archive as attachment, a notable change from past campaigns that used drive-by downloads or emails with malicious URLs ImageImage
The ransomware is an .exe file that pretends to be .xls using double extensions. It runs a PowerShell command to delete the shadow copy, encrypts & renames files with alphanumeric characters as extension (ex., myfile.x63b59), drops ransom note, changes the desktop background ImageImage
Office 365 ATP catches the malicious attachments used in this new Sodinokibi campaign, protecting customers from ransomware infection. Microsoft Defender ATP blocks the malware on endpoints and raises alerts for malicious behaviors, including shadow copy deletion.
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!