Sodinokini Ransomeware attack using legitimate tools and services

Jon DiMaggio of Symantec discussed today that Sodinokini a targeted Ransomeware is scanning POS for food and healthcare industries. Sodinokini uses remote access tools (RDP) to deliver Ransomeware (Cobolt strike) and download it on the victims computer and then compile it on the targeted system disgusting as a legitimate service. Also, they use legitimate services like Pastebin and Cloudfront to load payload and for C&C infrastructure. Researchers are unsure why Sodinokibi is scanning POS. They suspect that they might encrypt the software or planning on gaining bigger money. High profile companies are paying millions of dollars for this Ransomeware. If the demand is unpaid, they post the file to public to hurt the customers and the companies reputation. Sodinokibi operates as a ransome as a service (RaaS). As they use legitimate tools to deliver and intrude the targeted system, their campaign has been very successful infecting three high profile companies so far. The solution to detect/deter the attack is for the system administrator spend 10-15 % of the day to look at the bat files to see if they are searching for firewall or other security systems or any out of ordrnary behaviors. The best recommendation to Ransomeware attack is to prevent from happening and the dewell time between initial attack and execution is less than 30 days, typically 2-7 days. It is best to tackle early these Ransomeware before execution by monitoring legitimate tools' unusual behavior, exercise separation of studies and segregation of tools. Once the attack happens it is too late. 

https://podcasts.google.com/?feed=aHR0cHM6Ly90aGVjeWJlcndpcmUubGlic3luLmNvbS9yc3M&ep=14&episode=MDQ3MjZiODItZjQ1Ni0xMWVhLWIyMzctYWYxNGIwNjU1MDUy