Posted: 4 Min ReadThreat Intelligence

Affiliates Unlocked: Gangs Switch Between Different Ransomware Families

The demise of Sodinokibi has led to a surge in LockBit activity, while there’s evidence affiliates are using multiple ransomware families to achieve their goals.

The shutdown of the Leafroller ransomware gang (aka Sodinokibi/REvil) has resulted in a surge in LockBit activity, as some ex-Sodinokibi affiliates move to that ransomware. Meanwhile, there is also more evidence that some attackers are affiliated to more than one ransomware group and are switching between ransomware families mid-attack if the initial ransomware they attempt to deploy fails to execute.

These are just the latest developments Symantec, part of Broadcom Software, has seen as ransomware actors continue to evolve their tactics to make their attacks more dangerous and effective.

Sodinokibi shutdown leads to LockBit surge

Attacks involving the LockBit ransomware have increased markedly over the past month, with some indications that the group behind it is attempting to fill the gap left by the Sodinokibi ransomware.

Sodinokibi’s infrastructure and websites disappeared on July 12, 2021, shortly after the group had carried out a major ransomware attack in which it encrypted approximately 60 managed service providers (MSPs) and more than 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software. It’s unclear why exactly the gang’s operations shut down, but it has been speculated that the gang shuttered their activity following either pressure or action by law enforcement.

Symantec researchers have seen evidence that at least one former Sodinokibi affiliate is now using LockBit. Symantec has observed an attacker using consistent tactics, tools, and procedures (TTPs) attempting to deliver Sodinokibi to victims until July of 2021, when the payload switched to LockBit.

LockBit (aka Syrphid) was first seen in September 2019, and launched its ransomware-as-a-service (RaaS) offering in January 2020, however, there was a marked increase in its activity in the last month as it seemingly attempted to recruit former Sodinokibi affiliates.

This recent attack began with a file named mimi.exe, which is an installer that drops a number of password-dumping tools. Immediately prior to the ransomware being launched, a large number of commands were executed to disable various services, block access to remote desktop protocol (RDP), and delete shadow copies. This is activity we typically see before ransomware is deployed on a system. The actor behind this attack consistently named their ransomware payload as svhost.exe and this practice was maintained following their transition to LockBit.

The actors behind recent LockBit campaigns were seen using a variety of different TTPs before deploying the ransomware payload, including:

  • DefenderControl.exe – disables Windows Defender
  • NetworkShare – scans infected network
  • Nsudo-dropper – file dropper
  • Credential Stealing – collecting credentials from infected machines
  • Mimikatz – credential dumper, used for lateral movement across networks
  • Defoff.bat 
  • DelSvc.bat 
  • Netscan – retrieves information about services running on infected machines
  • PasswordRevealer – shows obfuscated passwords

The numerous password-dumping tools used by these attackers indicates that harvesting credentials is a key part of their attack chain.

Splitting allegiances

In another ransomware attack that occurred in June 2021, it appears that attackers who usually encrypt networks using the Conti ransomware switched payloads and used the Sodinokibi ransomware instead.

Initial activity in this attack followed the attackers’ usual playbook, deploying Cobalt Strike, an off-the-shelf remote access tool commonly seen used in ransomware attacks. This would usually be followed by them delivering Conti. Conti first appeared in December 2019 and has been seen used in some high-profile recent ransomware attacks, many targeting healthcare providers, including a May 2021 ransomware attack that crippled Ireland’s public health service provider, the HSE.

However, in this recent attack, instead of deploying Conti, the attackers switched payloads and deployed Sodinokibi to encrypt several hundred machines on the network. Before Sodinokibi was deployed we saw the attackers use BitsAdmin when moving across the victim network, while they also carried out some other preliminary activity before deploying the ransomware, including disabling Microsoft Defender, disabling RealTime Monitoring, and deleting shadow copies.

The attackers maintained a presence on the victim network for approximately three weeks before the Sodinokibi ransomware was deployed.

While not common up to now, this isn’t the first time we have seen evidence of affiliates appearing to have access to more than one ransomware family at the same time. In the attack we talked about in our blog Ransomware: Growing Number of Attackers Using Virtual Machines, there was evidence the attacker had access to both the Mount Locker and Conti ransomware, and may have attempted to run one payload on a virtual machine and, when that didn’t work, ran Mount Locker on the host computer instead.

Impact

Affiliates switching between different ransomware families like this is yet another attempt by ransomware actors to increase the chances of their attacks succeeding, and it will be interesting to see whether or not this is a tactic we start to increasingly observe during ransomware attacks.

Having access to multiple ransomware families increases the likelihood of affiliates being able to encrypt machines, increasing the dangers posed by these already dangerous attacks. This is just the latest development we have seen from ransomware actors, who are constantly refining their tactics in order to maximise their profits. The use of virtual machines was another example of attackers tweaking their approach in order to carry out a ransomware attack, while the emergence of double-extortion ransomware attacks last year, where attackers steal data and threaten to release it while also encrypting machines in ransomware attacks, led to one of the biggest shifts we saw in the ransomware landscape in recent times.

The surge in LockBit activity that we have seen also shows that while some big ransomware names have shut down their operations in recent times, there are many other ransomware operators waiting to fill the space that has been left.

Ransomware actors continue to change and refine their tactics in an effort to evade the security steps taken by organizations to stop these types of attacks, which is why ransomware remains one of the biggest threats on the cyber crime landscape in 2021.   

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IoCs)

File hashesDescriptionsDetection Names
66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a Mimikatz Hacktool.Mimikatz
c667c916b44a9d4e4dd06b446984f3177e7317f5f9cff91033d580d0cc617eaa LockBit Ransom.LockBit
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446 Alias: NetworkShare Hacktool
c4f3f4bd9ebd180388ed1812df0cd48e02a2393bccee822410cf28b44c44a382 LockBit Heur.AdvML.B
7e97f617ef7adbb2f1675871402203c245a0570ec35d92603f8f0c9e6347c04a LockBit Heur.AdvML.B
659ce17fd9d4c6aad952bc5c0ae93a748178e53f8d60e45ba1d0c15632fd3e3f Alias: Nsudo-dropper Trojan Horse
ad9e1593f9d992ddb9d21495f06bd31a7e39ee7746510d66f0596c5dfbc4e8ab PasswordDumper PasswordRevealer
bce5c2583c32efc411dddaaee8b63a36fe8010c284ddeb558246e81a62179323 LockBit Heur.AdvML.B
dae5fbdaa53b4f08876e567cf661346475ff4ae39063744ca033537d6393639a LockBit Ransom.LockBit
068D94A8AD277637412AE710AB431789A5E6F020B6FB412FC2C06D5C00E5342A DelSvcBAT Trojan Horse
0A9E09A970E6E0EDEE2D9120F6E5020F7C1B75CCF7AD1A0C720A63E914099CF5 LockBit Trojan Horse
2DDDFD3FF13F0CAF9644E95F93F008590D54B521DCBC4DEFC9EB37801498DD51 Netscan Trojan Horse
5D74EFDF9062FE052E8676F9CA9AFB4BFF770B55AC98F51210E502061E706DB8 DelSvcBAT Trojan Horse
6C76C93867B28C070E32E17312B1FD1E01FC7BA2D7DC0AE2A0B96CD615F643F9 Unknown Trojan Horse
A398C70A2B3BF8AE8B5CEDDF53FCF6DAA2B68AF2FADB76A8EA6E33B8BBE06F65 DefoffBAT Trojan Horse
36E33EB5280C23CBB57067F18514905E42F949250F95A5554F944180FCD5FE36 Mimikatz Trojan Horse
2e30bdb70372d97f5cd7c7d88d153b14668e78f5dfb868261673855baad08df9
8aabffacc45d8f044af81471c63a5f67e463480e1f6d3ab87307756af73ce67b
8df0c0544c50eae988b87c4e6083adca6753364a2ee55d1265c8a1a93399d3b6
f78b7cb4b959617a26308d0da0db61e57333ace1ce58a70ba705994554baf46c
7791490640e6a8fbc1b9df63bceb843c8a14675bfe27024bebb3107288dd3a72
b3221fa17d52cc4481cbcc7358f54f03bab295815da4428ff518994adc31789f
17afc0edec09efba9a72743b0099d3caf7edc46a00c24ee1e8a1bb51f1a257e1
daf7bccd4de5ea2774f31c0d4a55768be5cb11ce2b0b4c8ff45723af2906b62d
Directory:
csidl_windows\temp\temp\mimi\passrecpk
Commands:
net stop MSSQL$MSFW
net stop MSSQL$ISARS
net stop MSSQLServerADHelper100
net stop MSSQLServerADHelper100
net stop SQLAgent$ISARS
net stop MSSQL$MSFW
net stop MSSQL$ISARS
net stop MSSQLServerADHelper100
net stop SQLAgent$MSFW
net stop SQLAgent$ISARS
net stop MicrosoftDependencyAgent
net stop Veeam.Archiver.Service
net stop "Microsoft Storsimple Management Service" /y
net stop VeeamFilesysVssSvc
net stop Veeam.Archiver.Proxy
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence4 Min Read

Ransomware: Growing Number of Attackers Using Virtual Machines

Tactic hides ransomware payload and lowers the risk of discovery while encryption process is underway.

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.