# Electric Company Ransomware Attack **[appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom)** **Light S.A., a Brazilian based electrical energy company was recently affected by** **ransomware where the cybercriminals demanded a payment of 14 million U.S. dollars.** [The company issued comments to a local newspaper confirming the attack, however, technical](https://vejario.abril.com.br/cidade/hackers-invadem-light-resgate/) details were not disclosed by the company. ----- _Twitter Post from Light SA Official Account, Confirming the Attack_ Our malware analysis team had access to the binary that was likely used in the attack and we were able to confirm that the sample is from a family known as Sodinokibi (aka REvil). Althought we can't confirm that this was the exact same file used in the attack, the evidence points to being connected to the Light SA breach, such as the ransom price, for example. The sample was automatically collected by AppGate Labs on June 17, 2020 through our live hunting process, and as the binary was sent to a public sandbox, this suggests someone from the company submitted that file attempting to understand how it works. _Machine Infected with Sodinokibi Sample._ The sample is packed and works the same as other binaries that we have already identified from this family, and once unpacked, we were able to decrypt its configuration and access relevant data about the threat, such as the actor / campaign ID, and the URL in which the victim must access to get instructions. _Ransomware Attack Asking 14,000,000 USD._ According to the page that is hosted in the deep web, the ransom amount must be paid using the ----- virtual currency Monero, and prior to June 19, the total was 106,870.19 XMR, which is equivalent to 7 million USD. However, since the deadline has passed, the price has doubled to 14 million US dollars. The whole attack looks very professional, the web page even includes a chat support, where the victim can speak directly with the attacker. Sodinokibi works as a RaaS (Ransomware as a Service) model, and the group behind the operation seems to be affiliated to "Pinchy Spider", [which is the same group behind GandCrab ransomware[1].](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom#_ftn1) Deep Web Panel With the URL collected from the binary, we were able to access the webpage (hosted on deep web) and confirm details about the attack. First thing of notice is the ransom price, which is extremely high and likely due to the affected company belonging to an important sector. _Ransomware Asking for 7,000,000 USD Before Deadline._ There is an ‘About Us’ which contains a small overview about the Sodinokibi family. ----- _Sodinokibi Description According to the Web Page._ Also, it provides an online chat support, where the victim can interact with the attackers. In the images below, we can see that someone reached out to the attacker. We decided to censor the images to reduce the exposure of the person involved. ----- _Sodinokibi Chat Support._ At the end of the chat we can see that the attacker sends a file that is supposedly confidential, proving to the victim that the data can be decrypted and also suggesting that file was probably stolen from the company's network. _Decrypted “_Confidencial.xlsx” File Sent by Attacker._ Technical Details The main file is packed and it uses two shellcodes streams for unpacking and execution process. [First, it allocates a memory space using “LocalAlloc[2]” API, writes an encrypted shellcode to it,](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom#_ftn1) and transfers execution once decrypted. ----- _Sodinokibi Decrypting First Shellcode._ This shellcode unpacks Sodinokibi along with a second shellcode, which will eventually load the final binary to memory. _Second Shellcode Along with Unpacked Sodinokibi._ Finally, the shellcode injects the unpacked Sodinokibi binary into the same process space, by wiping the original PE file from memory and writing the new PE. _Sodinokibi Self-Injection._ ----- The binary is highly configurable, the setting is encrypted with RC4 and it s usually stored in a randomly named section, and in this case the section name is “.cfg”. _Sodinokibi Encrypted Configuration Stored on PE Section._ Upon execution, it will decrypt the content of this section into an allocated memory space. ----- _Sodinokibi Decrypting its Configuration._ The decrypted configuration is presented in a JSON format and contains several options used by the Malware. Key Type Description dbg Boolean If true, ignores keyboard layout check dmn List of strings List of domains for communication (C2 servers) exp Boolean If true, enables privilege escalation using CVE-2018-8453 as exploit fast Boolean If true, it encrypts just a part of the file img String Message displayed on desktop background nbody String Contents of the “readme” file (base64 encoded) net Boolean If true, sends POST requests to the C2 servers nname String Name of “readme” file pid String Actor ID pk String Public encryption key (base64 encoded) prc List of strings Process to terminate ----- sub String Campaign ID wfld List of strings List of folders to wipe wht Dictionary Contains information about whitelist (to skip encryption) wht.ext List of strings Whitelisted extensions wht.fld List of strings Whitelisted folders wht.fls List of strings Whitelisted files wipe Boolean If true, wipes the folders specified in “wfld” An interesting capability not utilized by this specific sample is if “exp” is “true”, it tries to escalate [privileges by exploiting a vulnerability in “win32k.sys” (CVE-2018-8453[3]) with both 32-bit and 64-](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom#_ftn1) [bit versions of the exploit, using a technique known as “Heaven’s Gate[4]” to execute 64 bit code](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom#_ftn1) in a 32 bit process, located in the “.rdata” section of the PE file. _Code Decrypting and Executing the Shellcode._ Also, if the “dbg” option is set to “false”, the malware will check the UI language and the keyboard layout of the infected machine. ----- _Keyboard Layout Verification._ [Above, we can see that this Ransomware has a whitelist based on location, if the return value[5]](https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom#_ftn1) matches any value of the list, it will not encrypt files in the machine. Furthermore, it uses PowerShell to delete Windows shadow copies. _Sodinokibi Deleting Windows Shadow Copies._ Once encrypting all the files, it changes the background with the following image: ----- _Sodinokibi Background._ Lastly, it appends a ransom note to every folder where encrypted files can be found. _Sodinokibi Ransom Note._ Unfortunately, there is no global decryptor for the family, which means that the attacker's private key is required to decrypt the files. During the period of the attack, we noticed that the company’s website was offline, presenting an error message related to the database, which could be related to the attack. ----- _Light WebSite Offline During Ransomware Attack._ IOCs **SHA1:** f09e5e72b433d11a32efe2e5d63db0bc7b8def59 **SHA256:** 140f831ddd180861481c9531aa6859c56503e77d29d00439c1e71c5b93e01e1a **SSDEEP:** 3072:oCc99moUMXv84IHesgkSx+oN/7KzTKDyOX6wKamrJPlM8dj09br:oCc9wHRtg9xkNq6wK7dq40 **Mutex:** Global\57E6EA0F-4648-EF95-9F98-C3221B4D31F9 **Registry Keys:** HKLM\SOFTWARE\Facebook_Assistant\s17 HKLM\SOFTWARE\Facebook_Assistant\JYhB HKLM\SOFTWARE\Facebook_Assistant\jH5dJ HKLM\SOFTWARE\Facebook_Assistant\nsWSeU HKLM\SOFTWARE\Facebook_Assistant\CSGtvzp HKLM\SOFTWARE\Facebook_Assistant\cDQ1QZoS **Sodinokibi Actor ID** $2a$10$D/hOr8pZfTXyeVodyREcseBOlXf2dcLmqmQJTa4y2uSfGkhEZXq62 **Sodinokibi Campaign ID** 4430 **Public Encryption Key (base64 encoded)** ----- 5OflM/v+EILgBXm+0q5qAVIHbpAd3zVkD2aFdBKJe0g= **C2 Servers:** Please find a list here: [https://pastebin.com/nf0i13zc](https://pastebin.com/nf0i13zc) _[1]_ _[https://malpedia.caad.fkie.fra...](https://malpedia.caad.fkie.fraunhofer.de/actor/pinchy_spider)_ _[2]_ _[https://docs.microsoft.com/en-...](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-localalloc)_ _[3]_ _[https://www.cvedetails.com/cve...](https://www.cvedetails.com/cve/CVE-2018-8453)_ _[4]_ _[http://www.alex-ionescu.com/?p...](http://www.alex-ionescu.com/?p=300)_ _[5]_ _[https://docs.microsoft.com/en-...](https://docs.microsoft.com/en-us/windows/win32/intl/language-identifier-constants-and-strings)_ -----