Ransomware Response, Done Right.

In the early morning hours in March of 2020, a high-value target company experienced a Sodinokibi ransomware incident that impacted the vast majority of their user’s workstations. This particular ransomware attack had a unique twist — video screen captures recorded the event, revealing that the threat actors accessed a live feed throughout the attack, and enabled them to actively monitor their victim’s response when the ransomware was triggered.

Sodinokibi Ransomware Minute-By-Minute Timeline

Our Forensic Analysis Team

Senior Director of DFIR Brad Roughan, Director of DFIR Bryan Mermilliod, and Director of DFIR Rahil Aftab teamed up to tackle this case. They confirmed the ransomware variant as Sodinokibi/REvil, and the root point of compromise to be from a cloud-based RMM (Remote Management and Monitoring) solution named “ConnectWise Control.” Unfortunately, when RMM tools such as ConnectWise are compromised, it allows a threat actor to quickly and effortlessly take over entire networks and to conduct malicious activities undetected and at their discretion. We have seen numerous cases where RMM tools are to mass-deploy ransomware to downstream customers of MSPs. Many of these cases have involved ConnectWise in conjunction with Sodinokibi. Rahil Aftab commented, “It was really interesting to be able to compare the screen capture video to the underlying forensic artifacts. We saw how the threat actor’s activities and the artifacts left behind compared to the videos from the affected systems.”

How the Network was Compromised

The organization felt quite blindsided by this attack — they had enforced several precautions across the board and implemented some security best practices. They felt they had good systems to prevent Sodinokibi, so how could an attack like this happen to them? While the high-value target company reported that two-factor authentication was enabled (and should have prevented a login from an unknown 3rd party), Tetra discovered that the employee behind the “Tech Support” user account never completed the process of setting up multifactor authentication. Other risky user behaviors included a saved text file containing user credentials and passwords — both to their desktop and to a personal online account. Personal cloud accounts were on their work laptop, and they were actively using torrents to search for, download, and install movies and cracked software. What’s most glaring is that the “Tech Support” user had sent email attachments including a username and password list — a spreadsheet containing employee names, phone extensions, and IP addresses, all in plain text.

“As we got further into the case, it evolved into a unique mix of both an investigation of an active ransomware attack and an internal investigation of missteps taken by an IT employee. It’s one of the more interesting cases I’ve seen recently,” said Brad Roughan. Bryan Mermilliod commented, “With both external and internal risks at play, the client was understandably on high alert throughout the restoration process. Our ability to detect malicious activity combined with our experience rebuilding and troubleshooting systems after these attacks allowed us to give the client peace of mind as they returned to ‘normal.’” As unsettling as it is to be surveilled in a compromising situation, there is a silver lining to this case.

Thankfully, as evidenced by extended logging in ConnectWise, there was no sign of data exfiltration. This threat actor was solely focused on compromise and encryption rather than stealing the client’s data.