New Ransomware: CERT issues high-level alert

There was a high-level threat as new threat of Ransomware could attack companies and individuals worldwide, the Computer Emergency Readiness Team (SLCERT) has warned.

While issuing a notice, the SLCERT said the ransomware Sodinokibi, also known as REvil is a name for a family of advanced Ransomware.

“It encrypts (makes files and folders unreadable) important files in various formats and demands a ransom to decrypt (make files and folders readable) them,” an official at the SLCERT said.

The said said the Sodinokibi was observed propagating itself by exploiting a vulnerability in Oracle WebLogic server (CVE-2019-2725).

Later, Cyber-criminal Groups have further propagated this ransomware through infected email attachments (macros), torrent websites, phishing or by spreading infected links through online advertisements etc.

It was first reported in Asia but it is now a worldwide threat, they said.

The attackers send a ransom note through a text (.txt) file and /or by a message that would appear on the victim’s computer screen. To decrypt data, attackers request users to visit their website using one of the two links provided; one of which has to be opened using the Tor browser and the other with commonly used browsers. Victims have to provide the key and extension name included in the ransom message. The victim is then informed of the payment details and instructions to be followed.

The Sodinokibi has attacked a wide array of companies including Telecommunication service providers, Law Firms and IT Services causing service disruptions and information losses.

Further, it has targeted celebrities and prominent individuals threatening to release their sensitive information online.

“After the attack, it will loss important files and documents of the victim company’s data. They could expose confidential information to unauthorized parties. They may result in a complete or partial shutdown of your company’s operations, they may damage your company’s reputation or create financial losses,” CERT said.

Therefore, the SLCERT request people not to download files from suspicious sources or click on suspicious links. Not to download decryption tools from suspicious sources.

“The CERT requests users to make multiple backups of data regularly, and keep them offline and/or store off-site,” it said.

“CERT requests to increase the security of backup with additional ransomware protection software and to update and install the latest security patches on installed third-party software,” the official said.

The users should aware of keeping their virus guards and operating systems up to date and to monitor the latest malware infections and patterns.

If any computer/s infected by the Sodinokibi attack it is better to isolate the infected computers from the network.

The payment of ransom is not recommended since there is no guarantee that you will get your data back, the SLCERT added. (Chaturanga Samarawickrama)