Skip to main content

Kaspersky tracks down major new ransomware

(Image credit: Image Credit: Christiaan Colen / Flickr)

Cybersecurity researchers from Kaspersky have discovered a new type of ransomware, and this one seems to be more dangerous than any of its predecessors for one key reason.

The ransomware, named Sodin, takes advantage of a zero-day vulnerability in the Windows operating system, which means that victims don’t even need to download and run a malicious attachment (which was typically essential for the success of a ransomware campaign).

Instead, all they need to do is find a vulnerable server and send a command to download a malicious file called “radm.exe.” This then saved the ransomware locally and executed it.

The Windows vulnerability is now known as CVE-2018-8453.

Sodin also uses what’s known as the “Heaven’s Gate” technique, which allows the malicious program to execute 64-bit code from a 32-bit running process. Kaspersky claims this doesn’t happen often in ransomware. This makes the ransomware harder to detect, as well as harder to analyse.

Most Sodin targets are in the Asia region: 17.6 per cent of attacks went to Taiwan, 9.8 per cent to Hong Kong and 8.8 per cent in South Korea. However, Kaspersky says Europe, North and Latin America weren’t spared.

Each victim was asked to pay $2500 USD worth of bitcoin.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors. We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant.  Those who invested in the malware’s development definitely expect if to pay off handsomely.” – said Fedor Sinitsyn, a security researcher at Kaspersky.