Executive SummarySince January 2020, the Arete IR practice has responded to forty-one (41) Sodinokibi engage-ments. The industry has seen two big changes with Sodinokibi/REvil from their shift to exfiltrat-ing data as of January 2020, and more, recently with their move to only accepting payments in Monero cryptocurrency (XMR). Recently our IR practice responded to a Sodinokibi/REvil en-gagement with where we dug into the ransom-ware itself and this article is meant to provide information on the ransomware behavior ob-served during the engagement. Our intention is to summarize some of the high-level informa-tion on Sodinokibi/REvil for general awareness, as well as provide a technical overview with behavioral indicators back to the community to help network defenders become more familiar with this threat.
BackgroundSodinokibi has been around since April 2019 and is distributed via a ransomware-as-a-service (RaaS) model, which mirrors the software-as-a-service (SaaS) model, offered by legitimate vendors. Like SaaS, RaaS is offered via cloud-based subscription models for a subscription fee and several RaaS groups use a partner- or franchise-like structure. This structure is where the RaaS operator keeps a percentage of com-mission from every victim infected through
their partners and pays the rest of the extorted funds to the partner or “franchise owner.” What makes the RaaS model so appealing and lu-crative is they are specifically built to be easy to use and deploy. Typically, RaaS variants employ a portal where the partner only needs to down-load the ransomware with no development or coding skills required. Most RaaS models and, in particular, Sodinokibi/REvil even provide a fully staffed technical and customer support service, like you would find with a legitimate SaaS offer-ing. The support is meant to help the franchise owner or partner get off the ground with their ransomware campaign.
There are several excellent blogs that have been written on Sodinokibi, so we will not delve into the history or any specifics here. Sodinokibi has multiple infection vectors, which include exploiting known security vulnerabilities and phishing campaigns. However, in 50% of the Sodinokibi engagements Arete has responded to since Jan 2020, the initial vector has been through internet exposed Remote Access Services. Starting in January 2020, Sodinokibi started to publish stolen data for the first time following the likes of Maze and DoppelPay-mer. Of the 41 Sodinokibi engagements Arete responded to in 2020, so far, only two involved exfiltrated data being published. This second form of extortion acts as an
www.areteir.com
Sodinokibi\REvil Ransomware attacks against the Education Sector
Sodino Ransomware
www.areteir.com
insurance policy to the ransom demand, meaning victims must consider paying the ransom even if they do not need a decryption key to recover the data. In many cases, when the ransom is not paid, the threat actors will threaten to leak stolen data. Recently, the operators added a new “Auction” tab to their data exfil site to auction valuable data from victims that decide not to make the ransom payment. Figure 1 shows an example of their auc-tion site:
Figure 1. Sodinokibi auction site with victim infor-mation
Arete IR has handled multiple cases in which the threat actors behind Sodinokibi have not threat-ened the client with releasing data. In these cases, the forensics investigation performed by Arete did not reveal artifacts indicating that data exfiltration had occurred.
Sodinokibi High-level Technical Over-viewIn May 2020, researchers in the community shared information about Sodinokibi v.2.2. This version uses the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. Its decryptor is also said to leverage the Windows Restart Manager API to shut down any process that could prevent a file from being decrypted.
Sodinokibi is known to:• Exfiltrate basic host information (Malware ver-
sion, Actor ID, Campaign ID, Attacker’s public key, Victim UID, Victim’s Private key, Username, Computer name, TCP/IP domain, OS Lan-guage, CPU architecture, Disk free space, and File extension for encrypted files)
• Exploit the CVE-2018-8453 vulnerability to ele-vate privileges
• Terminate blacklisted processes and services prior to encryption to eliminate resource con-flicts
• Wipe the contents of blacklisted folders• Encrypt non-whitelisted files and folders on
local storage devices and network shares• Obfuscate Command & Control (C2) via large
domain list (1,225 domains)
Deep Dive Technical AnalysisDuring the investigation performed by our Digital Forensics & Incident Response (DFIR) team, it was discovered that the threat actor performed recon-naissance of the victim network, harvested creden-tials using Mimikatz, and subsequently deployed the ransomware using PsExec.
The analysis revealed that a malicious mmi.zip file was created in the C:\Users\Administrator\Videos\ directory. This archive was extracted to a NEW MMI sub-directory. The archive contained batch scripts, visual basic scripts, Mimikatz, and the NirSoft password recovery utilities. Other tools found in the Videos directory were the Advanced Port Scanner application, and the PsTools package from Windows Sysinternals. The threat actor also used the C:\folder directory to store the Sodinokibi ransomware, a batch script to clear event logs, a batch script to delete volume shadow copies, and an application to scan the network and mount shared folders as drives.
Information about the batch scripts discovered:
- C:\folder\Shadow.bat Used to delete Volume Shadow Copies with the following command: vssadmin delete shadows /all
www.areteir.com
• WEVTUTIL system utility. The event logs were cleared by the attackers with this batch file through the execution of the following command to list the event logs and then clear them:
FOR /F “delims=” %%I IN (‘WEVTUTIL EL’) DO (WEV-TUTIL CL “%%I”)
C:\Users\Administrator\Videos\PSTools\1.batUsed to create a firewall exception to allow Remote Desktop communication on TCP port 3389 and en-able Terminal Services through the execution of the following commands:
netsh advfirewall firewall add rule name=”allow Re-moteDesktop” dir=in protocol=TCP localport=3389 action=allow
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
The C:\folder\ns.exe contained an application that appears to have capabilities to scan the network for share folders and unmounted drivers to mount them as drives. Since Sodinokibi will encrypt shared drives, once these folders are mounted, it will fa-cilitate their encryption expanding the attackers damage to the network. Form this point, we will focus on the Sodinokibi ran-somware found in the C:\folder\plusnew.exe directo-ry. The following are its file characteristics:
File Name: plusnew.exe
File Size: 116736 bytes
MD5: 9141ce187f33a1a0bc6cf310a508c0af
SHA1: 7e7831ecad7448273931017ec5c8e5d85eccc705
SHA256: 8ff6b978077a7342464d84e2ddbeb558985545980b-
058f5bda064de852f8d928
FUZZY: 1536:TEm1ZuWgn3rXTQjC5OPHvNl07xpr2ZznIC-
S4ACF7iqtkoqcOeA/wt/8F:jgnvQn/07TX4F7iayH/wNa
PE Time: 0x5E7DEFF0 [Fri Mar 27 12:22:08 2020 UTC]
Sections (5):
Name Entropy MD5
.text 6.52 731bcff9a662feb59a487f092b2f3a31
.rdata 7.89 8a765ddd2ea4300590faf7b525e4433c
.data 7.63 1231ff85541c8230832e1fdf875fdd6d
.sw95jmu 5.49 729e4644a36738c3fefeb3b3129113b2
.reloc 6.66 ff773e145db39aba973aa197638a55f9
VirusTotal antivirus detections for the Sodinokibi case malware at the time of analysis are displayed in Table 1:
Detection Tool Detection Tool
SentinelOne (Static ML) DFI – Malicious PE
Microsoft Ransom:Win32/Sodi-nokibi.S!MSR
Symantec Ransom.Sodinokibi
McAfee Ransom.Sodi-nokibi!9141CE187F33
Malwarebytes Ransom.Sodinokibi
CrowdStrike Falcon Win/malicious_confi-dence_100% (D)
Cylance Unsafe
Endgame Malicious (high Confi-dence)
FireEye Generic.mg.9141ce-187f33a1a0
Cybereason Malicious.87f33a
Palo Alto Networks Not detected
Sophos Not detected
Table 1. Detections at VirusTotal with some antivirus tools
When the ransomware is executed in a controlled envi-ronment, it will:• Add the following file extension to encrypted files:
“.4g800kg” Please note that with every execution of the malware, the file extension, and key, chang-es. During various executions, the file extension observed was: “.p3u3a1”, “.5842iv”, etc.
• Create the ransom note with the following file name: 4g800kg-readme.txt. Please note that with every execution of the malware, the file prefix of the file name associated with the file extension changes
• Connect to shared drives and encrypt files
www.areteir.com
• Present the following onion website in the ransom note: http://aplebzu47wgazapdqks6vrcv6zcnjppk-bxbr6wketf56nf6aq2nmyoyd.onion/[removed_by_analyst]
• Present the following secondary attacker’s website for communication: http://decryptor.cc/[removed_by_analyst]
• Create the following mutex value: BF04938C-332C-183A-3815-38D442774906
• Change the desktop wallpaper with a picture which states: “All of your files are encrypted! Find 4g800kg-readme.txt and follow instructions”
• Create a registry modification to store data: “HKLM\SOFTWARE\GitForWindows”. One of the values in the key contains the file extension the malware adds to files encrypted. In the past, other companies have observed the “SOFTWARE\recfg” key being created
• Utilize the following registry key for persistence:• Key: HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Value name: 6tdi0IHKR7 Val-ue data: C:\[path_to_malware]\plusnew.exe
• Contain a list of 1,225 domains in its JSON configu-ration
• Try to connect to the domains configured in the malware with standard SSL over port 443
• Kill, but not delete itself
During execution, the ransomware started the follow-ing Powershell process with an encoded Base64 string to delete volume shadow copies:
powershell -e RwBlAHQALQBXAG0AaQBPAGIAag-BlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQ-AbwB3AGMAbwBwAHkAIAB8ACAARgBvA-HIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAk-AF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
The above Base64 string decodes to:Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
The malware stores data in the following registry key: “HKLM\SOFTWARE\GitForWindows”. Figure 2 shows a screenshot of registry values created by Sodinokibi:
Figure 2. Registry key and values created by Sodi-nokibiIt also entrenched in the system for persistence in the following registry run key:
Key: HKLM\SOFTWARE\Microsoft\Windows\Cur-rentVersion\RunName: 6tdi0IHKR7Value: C:\[path_to_malware]\plusnew.exeTo alert the user of the infection, the malware changes the Desktop wallpaper, making the follow-ing registry key modification:Key: HKEY_CURRENT_USER\Control Panel\Desktop\Name: WallpaperValue: C:\Users\\AppDat%USERNAME%a\Local\Temp\x1sjhv3y6pd0.bmpFigure 3 shows a screenshot of the desktop wallpa-per displayed:
Figure 3. Desktop wallpaper created and displayed after the infection
www.areteir.com
• The “4g800kg-readme.txt” file contains the follow-ing ransom note displayed in Figure 4:
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can
check it: all files on your system has extension 5842iv.
By the way, everything is possible to recover (restore), but you
need to follow our instructions. Otherwise, you cant return
your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and
your deals, except getting benefits. If we do not do our work
and liabilities – nobody will not cooperate with us. Its not in
our interests.
To check the ability of returning files, You should go to our
website. There you can decrypt one file for free. That is our
guarantee.
If you will not cooperate with our service – for us, its does not
matter. But you will lose your time and data, cause just we
have the private key. In practice – time is much more valuable
than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://
torproject.org/
b) Open our website: http://aplebzu47wgazapd-
qks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/[re-
moved_by_analyst]
2) If TOR blocked in your country, try to use VPN! But you can
use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/[re-
moved_by_analyst]
!!! DANGER !!!DONT try to change files by yourself, DONT use any third par-ty software for restoring your data or antivirus solutions – its may entail damage of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Figure 4. Ransom note
The following screenshot in Figure 5 captures the victim system beaconing out to some of the domains in the configuration in the malware:
Figure 5. Wireshark screenshot capturing Sodi-nokibi domain requests
Once a DNS response is received, the malware will try to establish a connection over standard SSL on port 443. Here is a sample of some of the URLs found in the memory of the victim system:
www.areteir.com
•
https://wacochamber . com/wp-content/ graphic/nwfwzdev.jpg https://the-virtualizer . com/wp-content/ temp/olihviuz.jpg https://www1.proresult . no/include/tmp/qq. jpg https://kosterra . com/admin/image/kbuhal nn.jpg https://beyondmarcomdotcom.wordpress . com/wp-content/graphic/mvvs.gif https://thomasvicino . com/admin/pics/ cywd.jpg https://iyahayki . nl/admin/pictures/da.jpg
OSINT reporting reveals that the URL is created based on this format:
https://<domain_from_con fig>/<list1>/<list2>/<random_string>.<list3>
where list1, list2, and list3 could contain the following values as displayed in Table 2:
List 1 wp-content, static, con-tent, include, uploads, news, data, admin
List 2 images, pictures, im-age, temp, tmp, graph-ic, assets, pics, games
LIst 3 jpg, png, gif
Table 2: Sodinokibi known URL values
During the analysis, our threat researchers were able to extract the malware configuration information. Before presenting the configuration info, it would be good to present what some of the public reports have uncovered about the configuration fields. This is dis-played in Table 3:
Key Description
prc An array of strings representing pro-cess names that REvil attempts to terminate prior to encrypting and/or wiping folders to prevent resource conflicts
sub Integer value that is only referenced when sending basic host and malware information to the C2 server if con-figured to do so via the net key; likely associated with the “pid” config key and could be a campaign or affiliate identifier
svc List of services to terminate
wht Contains the following subkeys repre-senting whitelisted values that REvil will not encrypt:ext — Whitelisted file extensionsfld — Whitelisted folder name valuesfls — Explicit whitelisted filenames
img Contains the following subkeys repre-senting whitelisted values that REvil will not encrypt:ext — Whitelisted file extensionsfld — Whitelisted folder name valuesfls — Explicit whitelisted filenames
dmn Semicolon-delimited list of fully quali-fied domain names that represent RE-vil command and control (C2) servers
dbg True/false value used by the malware author during development (refer-enced only when determining if the victim is Russian)
pid Integer value that is only referenced if the “net” key is set to send basic host and malware information to the C2 server; likely associated with the sub key and could be a campaign or affili-ate identifier
nbody Base64-encoded value of the ran-somware note text dropped in folders where files were encrypted
et Digit value. Unknown purpose
www.areteir.com
• wipe True/false value that determines if RE-vil attempts to wipe blacklisted folders specified in the wfld key
wfld An array of strings representing black-listed folder name values; if the wipe key is configured, then REvil attempts to delete (wipe) these folders prior to encrypting
nname Filename string of the ransomware note dropped in folders where files were encrypted
pk Base64-encoded value representing the attacker’s public key used to en-crypt files
net True/false value that determines if REvil should attempt to exfiltrate basic host and malware information to the configured C2 servers listed in the dmn key
exp True/false value that determines if RE-vil should attempt to elevate privileges by exploiting a local privilege escala-tion (LPE) vulnerability
Table 3. Sodinokibi JSON config field descriptions
The Sodinokibi configuration discovered by our malware reverse engineers when examining the case ransomware is presented in Figure 6:
{ “prc”: [ “wordpad”,”tbirdconfig”,”onenote”,”in-fopath”,”synctime”,”outlook”,”encsvc”,”firefox-”,”steam”,”ocautoupds”,”ocssd”,”mydesktopqos”,”pow-erpnt”,”mspub”,”dbeng50”,”mydesktopservice”,”dbsn-mp”,”thebat”,”sql”,”visio”,”xfssvccon”,”ocomm”,”is-qlplussvc”,”winword”,”oracle”,”msaccess”,”sqbcoreser-vice”,”excel”,”agntsvc”,”thunderbird” ], “sub”: “3811”, “svc”: [ “vss”,” ophos”,”memtas”,”sql”,”backup”,”mep-ocs”,”svc$”,”veeam” ], “wht”: { “ext”: [ “com”,”ani”,”themepack”,”msc”,”icns”,”rt-p”,”ico”,”scr”,”ps1”,”idx”,”mod”,”shs”,”icl”,”bin”,”m-su”,”cpl”,”ocx”,”prf ”,”lock”,”nomedia”,”hlp”,”rom”,”-msp”,”diagcfg”,”bat”,”ics”,”adv”,”desktheme-pack”,”key”,”cur”,”mpa”,”386”,”diagcab”,”cmd”,”sys-”,”theme”,”spl”,”lnk”,”nls”,”hta”,”diagpkg”,”cab”,”ldf ”,”-msstyles”,”wpx”,”exe”,”dll”,”msi”,”drv” ], “fls”: [“ntuser.dat”,”ntuser.ini”,”ntldr”,”autorun.inf ”,”desk-top.ini”,”bootfont.bin”,”ntuser.dat.log”,”thumbs.db”,”boot.ini”,”iconcache.db”,”bootsect.bak” ], “fld”: [“windows.old”,”system volume information”,”-boot”,”tor browser”,”$windows.~ws”,”mso-cache”,”programdata”,”appdata”,”perflogs”,”in-tel”,”$windows.~bt”,”google”,”program files (x86)”,”application data”,”$recycle.bin”,”mozil-la”,”program files” ] }, “img”: “QQBsAGwAIABvAGYAIAB5AG8AdQB-yACAAZgBpAGwAZQBzACAAYQByAGUAIAB-lAG4AywByAHkAcAB0AGUAZAAhAA0AC-gANAAoARgBpAG4AZAAgAHsARQBYAFQA-
•
fQAtAHIAZQBhAGQAbQBlAC4AdAB4AH-QAIABhAG4AZAAgAGYAbwBsAGwAbwB3A-CAAaQBuAHMAdAB1AGMAdABpAG8AbgB-zAAAA”, “dmn”: “takeflat.com;highlinesouthasc.com;TRUNCATED_BY_ANALYST;extraordi-naryoutdoors.com”, “dbg”: false, “pid”: “$2a$10$AsFfeiRtA/V.Gof8dZdg-sukIVT7uopJBjeNiCZQvEZTfEc.v0bkRC”, “nbody”: “LQAtAC0APQA9AD0_TRUNCAT-ED_BY_ ANALYST_CAAIQAhACEAAAA=”, “et”: 1, “wipe”: false, “wfld”: [ “backup” ], “nname”: “{EXT}-readme.txt”, “pk”: “lY7iTODWrjbuZu4T2jCLmSwhDcKH7s-BW8xKDYXXtj1c=”, “net”: true, “exp”: false, “arn”: true}
Looking at the above malware config file we can observe the following:• Processes to be terminated (‘prc’ field)
wordpad, tbirdconfig, onenote, infopath, synctime, outlook, encsvc, firefox, steam, oc-autoupds, ocssd, mydesktopqos, powerpnt, mspub, dbeng50, mydesktopservice, dbsnmp, thebat, sql, visio, xfssvccon, ocomm, isqlplussvc, winword, oracle, msaccess, sqbcoreservice, excel, agntsvc, thunderbird
• Services to be terminated if they contain these strings (‘svc’ field) vss, ophos, memtas, sql, backup, mepocs, svc$, veeam
• Whitelisted file extensions (‘wht->ext’ field- com, ani, themepack, msc, icns, rtp, ico, scr, ps1, idx, mod, shs, icl, bin, msu, cpl, ocx, prf, lock,
nomedia, hlp, rom, msp, diagcfg, bat, ics, adv, deskthemepack, key, cur, mpa, 386, diagcab, cmd, sys, theme, spl, lnk, nls, hta, diagpkg, cab, ldf, msstyles, wpx, exe, dll, msi, drv
• Whitelisted file names (‘wht->fls’ field) ntuser.dat, ntuser.ini, ntldr, autorun.inf, desk top.ini, bootfont.bin, ntuser.dat.log, thumbs.db, boot.ini, iconcache.db, bootsect.bak
• • Whitelisted folders (‘wht->fld’ field) $win-
dows.~ws, msocache, programdata, appdata, perflogs, intel, $windows.~bt, google, program files (x86), application data, $recycle.bin, mozil-la, pro gram files
• Configured to exfiltrate basic victim system and malware information (‘net’ field)
“net”: true• Configured to implement persistence in the
system (‘arn’ filed) “arn”: true• The “img” field contains the following data:
Base64 encode string
QQBsAGwAIABvAGYAIA-B5AG8AdQByACAAZgB-pAGwAZQBzACAAYQByA-GUAIABlAG4AywByAHkA-cAB0AGUAZAAhAA0ACgA-NAAoARgBpAG4AZAAgAH-sARQBYAFQAfQAtAHI-AZQBhAGQAbQBlAC4Ad-AB4AHQAIABhAG4AZAA-gAGYAbwBsAGwAbwB3A-CAAaQBuAHMAdAB1AG-MAdABpAG8AbgBzAAAA
Decoded string All of your files are encrypt-ed!
Find {EXT}-readme.txt and follow instuctions
Table 4. Base64 decoded string of data in the “img” field
www.areteir.com
www.areteir.com
• - The “nbody” field contains the following data:
Base64 en-code string
LQAtAC0APQA9AD0AIAB_TRUNCATED_BY_ANALYST_HI-AZgBlAHIAZQAuAA0ACgA-hACEAIQAgACEAIQAhACAAI-QAhACEAAAA=
Decoded string
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}.By the way, everything is possi-ble to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We abso-lutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of return-ing files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on web-site? [+]
You have two ways:
1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapd-qks6vrcv6zcnjppkbxbr6wketf-56nf6aq2nmyoyd.onion/{UID}
2) If TOR blocked in your coun-try, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary web-site: http://decryptor.cc/{UID}
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:Key:
{KEY}!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the pri-vate key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.!!! !!! !!!
www.areteir.com
Recommendations• Install an Endpoint Detection and Response
(EDR) solution with the capability to halt de-tected processes and isolate systems on the network, based on identified conditions
• Mandate a forensics examination to identify the root course root of the incident.
• Understanding the route case of the incident through which the threat actor was able to gain access to the infrastructure is important to prevent future incident through the same attack vector
• Block any known attacker C2s in the firewall• Perform a global password reset. It is known
that threat actors operating these ransomware families obtain system credentials
• Implement a system enforced password policy to force users into changing passwords at least every 90 days
• Implement multifactor authentication (MFA)• If not needed, eliminate vulnerable RDP ports
exposed to the internet• Block a high number of SMB connection
attempts from one system to others in the net-work over a short period of time
• Perform Darkweb monitoring periodically to verify if data from the organization is available for sell in the black market
• Perform Penetration tests• Periodically patch systems and update tools• Monitor connections to the network from sus-
picious locations• Monitor downloads\uploads of files to file
sharing services over non-standard hours, not commonly used in the organization, etc.
• Monitor uploads of files from Domain Control-lers to the internet
• Monitor network scans from uncommon serv-ers (e.g. RDP server)
www.areteir.com
Summary of Indicators
Indicator Type Description
9141ce187f33a1a0bc6cf310a508c0af MD5 plusnew.exe
8ff6b978077a7342464d84e2dd-beb558985545980b058f5b-da064de852f8d928
SHA256 plusnew.exe
9cd25cee26f115876f1592dcc63cc650 MD5 mimikatz.exe
ece23612029589623e-0ae27da942440a9b0a9cd4f9681e-c866613e64a247969d
SHA256 mimikatz.exe
597de376b1f-80c06d501415dd973dcec
MD5 ns.exe
f47e-3555461472f23ab4766e4d5b6f6f-d260e335a6abc-31b860e569a720a5446
SHA256 ns.exe
6a58b52b184715583c-da792b56a0a1ed
MD5 Advanced_Port_Scanner_2.5.3869.exe
d0c1662ce239e4d-288048c0e3324ec52962f6ddda77d-a0cb7af9c1d9c2f1e2eb
SHA256 Advanced_Port_Scanner_2.5.3869.exe
7432ee19084a86a82c6b-62408dadd32f
MD5 netscanner.exe
a6ae9d94bde897bf7209276357d-016cbb872e172666ca3ff-204220c3fd3bb570
SHA256 netscanner.exe
C:\folder\plusnew.exe File Sodinokibi\REvil
{EXT}-readme.txt File Sodinokibi\REvil ransom note file format
C:\Users\Administrator\Videos\mmi.zip
File Archive with threat actor tools
C:\Users\Administrator\Videos\NEW MMI\mimikatz\
Directory Directory with Mimikatz
C:\Users\Administrator\Videos\NEW MMI\passrecpk\
Directory Directory with NirSoft Password Recovery tools
C:\Users\Administrator\Videos\Ad-vanced_Port_Scanner_2.5.3869.exe
File Advanced Port Scanner v.2.5.3869 application
C:\Users\Administrator\Videos\PSTools.zip
File Windows Sysinternals PsTools pack-age
Indicator Type Description
C:\Users\Administrator\Videos\nets-canner.exe
File MiTeC Network Scanner
C:\Users\Administrator\Videos\PSTools\PsExec.exe
File Windows Sysinternals PsExec tool
C:\folder\Shadow.bat File Batch script to delete Volume Shadow Copies
C:\folder\LogDelete.bat File Batch script to clear the Windows Events logs
C:\folder\ns.exe File Application that appears to have capabilities to scan the network for share folders and un-mounted drives to mount them as drives
C:\Users\Administrator\Videos\PSTools\1.bat
File Batch script to open TCP port 3389 through the firewall for connec-tions, and to enable Terminal Services
HKEY_LOCAL_MACHINE\SOFT-WARE\GitForWindows
Registry Sodinokibi config registry key
HKLM\SOFTWARE\Microsoft\Win-dows\CurrentVersion\Run\6tdi0IH-KR7
Registry Sodinokibi persistence registry key
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper=[ C:\Us-ers\%USERNAME%\AppData\Local\Temp\x1sjhv3y6pd0.bmp]
Registry Sodinokibi wallpaper image
BF04938C-332C-183A-3815-38D442774906
Mutex Sodinokibi mutex name
http://aplebzu47wgazapd-qks6vrcv6zcnjppkbxbr6wketf56n-f6aq2nmyoyd.onion/[removed_by_analyst]
URL TOR onion address
http://decryptor.cc/[removed_by_analyst]
URL Secondary attacker’s communica-tion site
www.areteir.com
www.areteir.com
takeflat . com shiftinspiration . com henricekupper . com ftlc . es ralister . co . uk
highlinesouthasc . com ulyssemarketing . com answerstest . ru simoneblum . de slimidealherbal . com
iviaggisonciliegie . it starsarecircular . org senson . fi triggi . de kariokids . com
zflas . com walkingdeadnj . com mastertechengineer-ing . com
flexicloud . hk artotelamsterdam . com
norovirus-ratgeber . de mepavex . nl innote . fi jakekozmor . com webmaster-peloton . com
entopic . com lbcframingelectrical . com
nestor-swiss . ch bingonearme . org sportiomsportfondsen . nl
frontierweldingllc . com
facettenreich27 . de compliancesolutions-strategies . com
porno-gringo . com ftf . or . at
simpliza . com pcprofessor . com pv-design . de abogadoengijon . es sanaia . com
allure-cosmetics . at verifort-capital . de hexcreatives . co pmc-services . de centuryrs . com
osterberg . fi polzine . net ymca-cw . org . uk coffreo . biz tuuliautio . fi
samnewbyjax . com airconditioning-waal-wijk . nl
deko4you . at chrissieperry . com tigsltd . com
heidelbergartstudio . gallery
nataschawessels . com pogypneu . sk destinationclients . fr higadograsoweb . com
solerluethi-allart . ch aminaboutique247 . com
2ekeus . nl spd-ehningen . de autodemontagenijme-gen . nl
softsproductkey . com celeclub . org punchbaby . com bargningharnosand . se
woodworkersolution . com
bordercollie-nim . nl antonmack . de cleliaekiko . online familypark40 . com symphonyenviron-mental . com
onlybacklink . com freie-gewerkschaften . de
bouquet-de-roses . com
4net . guru faizanullah . com
tradiematepro . com . au
ecoledansemulhouse . fr
twohourswithlena . wordpress . com
corona-handles . com rostoncastings . co . uk
dekkinngay . com oldschoolfun . net tongdaifpthaiphong . net
abl1 . net hashkasolutindo . com
accountancywijchen . nl
pay4essays . net c2e-poitiers . com sevenadvertising . com coding-machine . com
handi-jack-llc . com appsformacpc . com blog . solutionsarchi-tect . guru
DupontSellsHomes . com
kadesignandbuild . co . uk
rimborsobancario . net newyou . at forestlakeuca . org . au buymedical . biz xoabigail . com
smejump . co . th danholzmann . com proudground . org backstreetpub . com psa-sec . de
blossombeyond50 . com
fayrecreations . com parebrise-tla . fr behavioralmedicine-specialists . com
vibehouse . rw
Domain indicators from the Sodinokibi JSON config
foryourhealth . live zenderthelender . com danielblum . info testcoreprohealthuk . com
pomodori-pizzeria . de
jbbjw . com tanzprojekt . com directwindowco . com paymybill . guru mirkoreisser . de
thenewrejuveme . com cursosgratuitosnaint-ernet . com
yassir . pro lubetkinmediacompa-nies . com
ai-spt . jp
urist-bogatyr . ru kojima-shihou . com sw1m . ru muamuadolls . com edrcreditservices . nl
theshungiteexperience . com . au
lightair . com journeybacktolife . com babcockchurch . org digi-talents . com
quemargrasa . net physiofischer . de falcou . fr refluxreducer . com bradynursery . com
bastutunnan . se rksbusiness . com hellohope . com bimnapratica . com logopaedie-blomberg . de
supportsumba . nl mindpackstudios . com
maineemployment-lawyerblog . com
zweerscreatives . nl boisehosting . net
herbayupro . com ncid . bc . ca cuspdental . com hihaho . com bargningavesta . se
allamatberedare . se deltacleta . cat corendonhotels . com sairaku . net baustb . de
craigvalentineacade-my . com
mrsplans . net commonground-sto-ries . com
insigniapmg . com elimchan . com
iyengaryogacharlotte . com
truenyc . co hvccfloorcare . com gasbarre . com smartypractice . com
pivoineetc . fr fensterbau-ziegler . de lecantou-coworking . com
aco-media . nl brevitempore . net
jenniferandersonwriter . com
cerebralforce . net ventti . com . ar exenberger . at linnankellari . fi
smessier . com 1team . es tandartspraktijkhart-jegroningen . nl
sofavietxinh . com body-armour . online
mdk-mediadesign . de patrickfoundation . net catholicmusicfest . com
danubecloud . com antenanavi . com
kenhnoithatgo . com kingfamily . construc-tion
promalaga . es 101gowrie . com consultaractade-nacimiento . com
people-biz . com caribbeansunpoker . com
dushka . ua carolinepenn . com atalent . fi
d2marketing . co . uk praxis-manage-ment-plus . de
asteriag . com westdeptfordbuyrite . com
aselbermachen . com
girlillamarketing . com ivivo . es artallnightdc . com withahmed . com manutouchmassage . com
ladelirante . fr kaminscy . com groupe-cets . com baptisttabernacle . com
homecomingstudio . com
mylovelybluesky . com vickiegrayimages . com
spargel-kochen . de smogathon . com chavesdoareeiro . com
live-con-arte . de pawsuppetlovers . com seitzdruck . com bloggyboulga . net mdacares . com
www.areteir.com
philippedebroca . com centrospgolega . com plantag . de interactcenter . org bundabergeyeclinic . com . au
kamienny-dywan24 . pl kaliber . co . jp delchacay . com . ar spectrmash . ru iwr . nl
analiticapublica . es gamesboard . info abuelos . com dr-tremel-rednitzhem-bach . de
peterstrobos . com
mediaclan . info maratonaclubedepor-tugal . com
resortmtn . com mikeramirezcpa . com herbstfeststaefa . ch
securityfmm . com prochain-voyage . net alysonhoward . com darnallwellbeing . org . uk
nosuchthingasgovern-ment . com
sotsioloogia . ee micro-automation . de saarland-thermen-re-sort . com
greenko . pl seevilla-dr-sturm . at
dr-seleznev . com markelbroch . com diversiapsicologia . es puertamatic . es slupetzky . at
parking . netgateway . eu
nmiec . com ontrailsandboulevards . com
dutchcoder . nl lenreactiv-shop . ru
ecpmedia . vn theadventureedge . com
notsilentmd . org stoeferlehalle . de euro-trend . pl
schmalhorst . de havecamerawilltrav-el2017 . wordpress . com
knowledgemuseumbd . com
grupocarvalhoero-drigues . com . br
biapi-coaching . fr
kissit . ca bptdmaluku . com jiloc . com c-a . co . in camsadviser . com
lorenacarnero . com toponlinecasinosuk . co . uk
montrium . com petnest . ir bafuncs . org
baronloan . org stoneys . ch mrtour . site huesges-gruppe . de associacioesport-ivapolitg . cat
strategicstatements . com
imperfectstore . com bee4win . com theclubms . com mediaplayertest . net
campus2day . de stormwall . se tandartspraktijkheesch . nl
comarenterprises . com
operaslovakia . sk
www1 . proresult . no modestmanagement . com
simpkinsedwards . co . uk
lascuola . nl conexa4papers . trade
jolly-events . com haar-spange . com skanah . com mymoneyforex . com 35-40konkatsu . net
htchorst . nl lykkeliv . net burkert-ideenreich . de smalltownideamill . wordpress . com
basisschooldezonnewi-jzer . nl
marathonerpaolo . com
clos-galant . com personalenhance-mentcenter . com
berlin-bamboo-bikes . org
otsu-bon . com
you-bysia . com . au gporf . fr macabaneaupays-flechois . c
upplandsspar . se xlarge . at
chatizel-paysage . fr effortlesspromo . com om offroadbeasts . com deepsouthclothing-company . com
thedresserie . com podsosnami . ru the-domain-trader . com
purposeadvisorsolu-tions . com
manijaipur . com
www.areteir.com
glennroberts . co . nz tux-espacios . com talentwunder . com tarotdeseidel . com scenepublique . net
smithmediastrategies . com
kostenlose-webcams . com
midmohandyman . com
aglend . com . au jameskibbie . com
tampaallen . com zzyjtsgls . com embracinghiscall . com
seproc . hn allfortheloveofyou . com
latribuessentielle . com
boompinoy . com boldcitydowntown . com
mir-na-iznanku . com sobreholanda . com
narcert . com gymnasedumanage-ment . com
bhwlawfirm . com penco . ie quickyfunds . com
pelorus . group stemplusacademy . com
cafemattmeera . com farhaani . com levihotelspa . fi
brigitte-erler . com zieglerbrothers . de noixdecocom . fr finediningweek . pl tetinfo . in
web . ion . ag kidbucketlist . com . au
teresianmedia . org ruralarcoiris . com easytrans . com . au
ditog . fr polymedia . dk ussmontanacommit-tee . us
stemenstilte . nl pointos . com
cursoporcelanatoliqui-do . online
mirjamholleman . nl charlesreger . com drfoyle . com vihannesporssi . fi
roadwarrior . app krlosdavid . com ampisolabergeggi . it vetapharma . fr mrxermon . de
richard-felix . co . uk zimmerei-deboer . de simplyblessedbykee-pingitreal . com
hypozentrum . com argos . wityu . fund
drnice . de makeurvoiceheard . com
lmtprovisions . com juneauopioidwork-group . org
myteamgenius . com
wacochamber . com d1franchise . com carriagehousesalonvt . com
yousay . site dramagickcom . word-press . com
chefdays . de mank . de adultgamezone . com ianaswanson . com 8449nohate . org
newstap . com . ng abogados-en-alicante . es
woodleyacademy . org gmto . fr parkcf . nl
extensionmaison . info villa-marrakesch . de theduke . de crowd-patch . co . uk classycurtainsltd . co . uk
rehabilitationcen-tersinhouston . net
lapinlviasennus . fi maryloutaylor . com katiekerr . co . uk cactusthebrand . com
sagadc . com happyeasterimages . org
ouryoungminds . wordpress . com
coding-marking . com ohidesign . com
em-gmbh . ch leather-factory . co . jp makeflowers . ru vyhino-zhulebino-24 . ru
mmgdouai . fr
figura . team tinkoff-mobayl . ru sportverein-tambach . de
imadarchid . com bigasgrup . com
naturalrapids . com latestmodsapks . com werkkring . nl autodujos . lt cwsitservices . co . uk
www.areteir.com
fibrofolliculoma . info cheminpsy . fr ccpbroadband . com norpol-yachting . com irishmachineryauc-tions . com
brawnmediany . com oneheartwarriors . at hmsdanmark . dk boosthybrid . com . au marietteaernoudts . nl
kosterra . com craftleathermnl . com financescorecard . com
webhostingsrbija . rs alsace-first . com
wychowanieprzedsz-kolne . pl
greenpark . ch craigmccabe . fun bestbet . com rebeccarisher . com
madinblack . com goodgirlrecovery . com
shhealthlaw . com employeesurveys . com
jyzdesign . com
toreria . es darrenkeslerministries . com
devlaur . com xn--logopdie-leverku-sen-kwb . de
rerekatu . com
centromarysalud . com
maasreusel . nl strandcampingdoon-beg . com
id-vet . com manifestinglab . com
pickanose . com rosavalamedahr . com beautychance . se braffinjurylawfirm . com
instatron . net
deschl . net licor43 . de michaelsmerigliorac-ing . com
spylista . com naturavetal . hr
plotlinecreative . com tomaso . gr pierrehale . com anthonystreetrim-ming . com
kevinjodea . com
raschlosser . de syndikat-asphaltfieber . de
oslomf . no ora-it . de enovos . de
the-virtualizer . com ctrler . cn garage-le-compte-rouen . fr
urmasiimariiuniri . ro bigbaguettes . eu
coastalbridgeadvisors . com
myhealth . net . au gopackapp . com dirittosanitario . biz socialonemedia . com
jobmap . at mooshine . com kao . at brandl-blumen . de space . ua
iqbalscientific . com seagatesthreecharters . com
vorotauu . ru webcodingstudio . com
bbsmobler . se
denifl-consulting . at lange . host smhydro . com . pl lescomtesdemean . be
naswrrg . org
thailandholic . com thaysa . com 321play . com . hk intecwi . com planchaavapor . net
blewback . com evologic-technologies . com
verbisonline . com memaag . com hebkft . hu
abogadosacciden-tetraficosevilla . es
tecnojobsnet . com selfoutlet . com kalkulator-oszczed-nosci . pl
xn--fn-kka . no
nachhilfe-unterricht . com
stingraybeach . com sachnendoc . com joyeriaorindia . com hoteledenpadova . it
meusharklinithome . wordpress . com
uranus . nl modamilyon . com real-estate-experts . com
boulder-welt-muenchen-west . de
rieed . de work2live . de pinkexcel . com balticdermatology . lt mooglee . com
www.areteir.com
upmrkt . co nancy-informatique . fr kunze-immobilien . de pferdebiester . de spinheal . ru
precisionbevel . com grelot-home . com launchhubl . com trapiantofue . it mbfagency . com
chaotrang . com noesis . tech caribdoctor . org baylegacy . com liikelataamo . fi
travelffeine . com conasmanagement . de
geekwork . pl andersongilmour . co . uk
geoffreymeuli . com
iphoneszervizbuda-pest . hu
fiscalsort . com shadebarandgrillorlan-do . com
leeuwardenstudentc-ity . nl
officehymy . com
controldekk . com sexandfessenjoon . wordpress . com
opatrovanie-ako . sk vloeren-nu . nl mountsoul . de
kirkepartner . dk vannesteconstruct . be gemeentehetkompas . nl
ivfminiua . com epwritescom . word-press . com
kojinsaisei . info insp . bi christinarebuffetcours-es . com
ilive . lt transliminaltribe . wordpress . com
portoesdofarrobo . com
worldhealthbasicinfo . com
waermetaus-cher-berechnen . de
rocketccw . com serce . info . pl
ncs-graphic-studio . com
videomarketing . pro cuppacap . com wurmpower . at huissier-creteil . com
judithjansen . com cimanchesterescorts . co . uk
harpershologram . wordpress . com
fitnessbazaar . com faroairporttransfers . net
charlottepoud-roux-photographie . fr
corelifenutrition . com vitalyscenter . es koko-nora . dk littlebird . salon
psnacademy . in love30-chanko . com xltyu . com nurturingwisdom . com
fax-payday-loans . com
mrsfieldskc . com courteney-cox . net bookspeopleplaces . com
oceanastudios . com aprepol . com
expandet . dk nsec . se internation-al-sound-awards . com
global-kids . info coursio . com
revezlimage . com antiaginghealthbene-fits . com
todocaracoles . com dontpassthepepper . com
joseconstela . com
zso-mannheim . de idemblogs . com paulisdogshop . de tastewilliamsburg . com
haremnick . com
vdberg-autoimport . nl otto-bollmann . de cyntox . com alvinschwartz . word-press . com
thefixhut . com
naturstein-hotte . de gantungankunciakri-likbandung . com
sporthamper . com tips . technology xn--thucmctc-13a1357egba . com
itelagen . com first-2-aid-u . com lachofikschiet . nl merzi . info highimpactoutdoors . net
fundaciongregal . org commercialboatbuild-ing . com
alten-mebel63 . ru crediacces . com platformier . com
unetica . fr rozemondcoaching . nl trackyourconstruction . com
schutting-info . nl abitur-undwieweiter . de
www.areteir.com
bayoga . co . uk hiddencitysecrets . com . au
kindersitze-vergleich . de
ziegler-praezision-steile . de
blogdecachorros . com
4youbeautysalon . com
tanzschule-kieber . de triactis . com citymax-cr . com noskierrenteria . com
1kbk . com . ua fitnessingbyjessica . com
thewellnessmimi . com
presseclub-magde-burg . de
12starhd . online
xn--fnsterputssollen-tuna-39b . se
daklesa . de victoriousfestival . co . uk
projetlyonturin . fr mountaintoptiny-homes . com
educar . org oemands . dk eaglemeetstiger . de xn--singlebrsen-ver-gleich-nec . com
ahouseforlease . com
parkstreetauto . net steampluscarpetand-floors . com
jasonbaileystudio . com
buroludo . nl testzandbakmet-mening . online
gratispresent . se parks-nuernberg . de filmvideoweb . com reddysbakery . com despedidascostablan-ca . es
elpa . se aunexis . ch myhostcloud . com vietlawconsultancy . com
suncrestcabinets . ca
sterlingessay . com dinslips . se carrybrands . nl nijaplay . com socstrp . org
mediaacademy-iraq . org
saka . gr balticdentists . com sabel-bf . com visiativ-industry . fr
nandistribution . nl baumkuchenexpo . jp zervicethai . co . th jvanvlietdichter . nl hotelsolbh . co
lusak . at fotoscondron . com luckypatcher-apkz . com
lefumetdesdombes . com
m . br
better . town id-et-d . fr neuschelectrical . co . za
marcuswhitten . site devstyle . org
jorgobe . at colorofhorses . com eglectonk . online seminoc . com aurum-juweliere . de
eco-southafrica . com ogdenvision . com sarbatkhalsafounda-tion . org
kamahouse . net carlosja . com
restaurantesszimmer . de
layrshift . eu yourobgyn . net croftprecision . co . uk kath-kirche-gera . de
katketytaanet . fi beaconhealthsystem . org
readberserk . com quizzingbee . com denovofoodsgroup . com
adoptioperheet . fi americafirstcommit-tee . org
trystana . com helikoptervluchtn-ewyork . nl
jsfg . com
beyondmarcomdot-com . wordpress . com
bridgeloanslenders . com
sportsmassoren . com navyfederalautoover-seas . com
hatech . io
slwgs . org stoeberstuuv . de firstpaymentservices . com
drinkseed . com troegs . com
www.areteir.com
iwelt . de leoben . at kafu . ch luxurytv . jp heliomotion . com
globedivers . word-press . com
botanicinnovations . com
transportesycemen-toshidalgo . es
ilcdover . com usershepley . word-press . com
rumahminangber-daya . com
i-arslan . de nvwoodwerks . com schoolofpassivewealth . com
vermoote . de
fannmedias . com crosspointefellowship . church
atozdistribution . co . uk
retroearthstudio . com fitovitaforum . com
makeitcount . at liveottelut . com vesinhnha . com . vn sla-paris . com cnoia . org
tomoiyuma . com assurancesalex-trespaille . fr
artige . com vibethink . net panelsandwichma-drid . es
teknoz . net devok . info qlog . de microcirc . net edv-live . de
tenacitytenfold . com simulatebrain . com mapawood . com rafaut . com heurigen-bauer . at
whyinterestingly . ru oneplusresource . org klimt2012 . info musictreehouse . net waywithwords . net
atmos-show . com bxdf . info pier40forall . org minipara . com shonacox . com
kmbshipping . co . uk rota-installations . co . uk
dpo-as-a-service . com rollingrockcolumbia . com
dareckleyministries . com
celularity . com spacecitysisters . org forskolorna . org bodyfulls . com huehnerauge-ent-fernen . de
div-vertriebsfor-schung . de
advizewealth . com erstatningsadvokat-erne . dk
lionware . de xtptrack . com
evangelische-pfarrge-meinde-tuniberg . de
nhadatcanho247 . com
fatfreezingmachines . com
birnam-wood . com insidegarage . pl
nakupunafoundation . org
ihr-news . jp sanyue119 . com nicoleaeschbachorg . wordpress . com
evergreen-fishing . com
themadbotter . com ateliergamila . com moveonnews . com sinal . org drugdevice . org
schraven . de austinlchurch . com amylendscrestview . com
stefanpasch . me maxadams . london
plv . media olejack . ru piajeppesen . dk winrace . no rushhourappliances . com
leda-ukraine . com . ua odiclinic . org lloydconstruction . com
fairfriends18 . de augenta . com
csgospeltips . se tstaffing . nl hrabritelefon . hr plastidip . com . ar xn--vrftet-pua . biz
365questions . org agence-chocolat-noir . com
loprus . pl hairnetty . wordpress . com
echtveilig . nl
bsaship . com i-trust . dk importardechina . info comparatif-lave-linge . fr
teczowadolina . bytom . pl
trulynolen . co . uk waynela . com gadgetedges . com ilso . net jadwalbolanet . info
saxtec . com rhinosfootballacade-my . com
stupbratt . no advokathuset . dk friendsandbrgrs . com
www.areteir.com
thomasvicino . com bouldercafe-wupper-tal . de
body-guards . it poultrypartners . nl smokeysstoves . com
pubweb . carnet . hr dw-css . de fizzl . ru campusoutreach . org igrealestate . com
sweering . fr tinyagency . com icpcnj . org apolomarcas . com aniblinova . wordpress . com
bricotienda . com lynsayshepherd . co . uk
psc . de nuzech . com unim . su
ikads . org x-ray . ca urclan . net ligiercenter-sachsen . de
limassoldriving . com
roygolden . com cranleighscoutgroup . org
marketingsulweb . com
cite4me . org theletter . company
deoudedorpskern-noordwijk . nl
bogdanpeptine . ro imaginado . de summitmarketing-strategies . com
vox-surveys . com
malychanierucho-moscipremium . com
shsthepapercut . com mardenhereford-shire-pc . gov . uk
sojamindbody . com broseller . com
bouncingbonanza . com
longislandelderlaw . com
miriamgrimm . de zimmerei-fl . de walter-lemm . de
ostheimer . at siliconbeach-realestate . com
jeanlouissibomana . com
blood-sports . net anteniti . com
ecopro-kanto . com admos-gleitlager . de homesdollar . com degroenetunnel . com kikedeoliveira . com
connectedace . com acomprarseguidores . com
wsoil . com . sg mercantedifiori . com argenblogs . com . ar
dsl-ip . de mousepad-direkt . de igfap . com finde-deine-marke . de vitavia . lt
tulsawaterheaterinstal-lation . com
desert-trails . com waveneyrivercentre . co . uk
myzk . site monark . com
wasmachtmeinfonds . at
bowengroup . com . au schoellhammer . com stallbyggen . se phantastyk . com
paradicepacks . com pixelarttees . com schmalhorst . de associationanalytics . com
alfa-stroy72 . com
edelman . jp mbxvii . com executiveairllc . com turkcaparbariatrics . com
veybachcenter . de
stampagrafica . es partnertaxi . sk hairstylesnow . site julis-lsa . de smale-opticiens . nl
notmissingout . com bunburyfreightser-vices . com . au
nokesvilledentistry . com
y-archive . com danskretursystem . dk
filmstreamingvfcom-plet . be
apprendrelaudit . com bauertree . com no-plans . com radaradvies . nl
solinegraphic . com faronics . com pt-arnold . de wari . com . pe krcove-zily . eu
castillobalduz . es ausair . com . au architekturbuero-wag-ner . net
torgbodenbollnas . se biortaggivaldelsa . com
songunceliptv . com harveybp . com stacyloeb . com dlc . berlin theapifactory . com
yamalevents . com amerikansktgodis . se smart-light . co . uk creamery201 . com cortec-neuro . com
www.areteir.com
klusbeter . nl remcakram . com alhashem . net all-turtles . com servicegsm . net
verytycs . com jacquin-maquettes . com
lichencafe . com pcp-nc . com izzi360 . com
architecturalfiberglass . org
hannah-fink . de polychromelabs . com run4study . com hkr-reise . de
gaiam . nl live-your-life . jp schlafsack-test . net qualitaetstag . de ki-lowroermond . nl
southeasternacade-myofprosthodontics . org
milanonotai . it onlyresultsmarketing . com
marchand-sloboda . com
romeguidedvisit . com
mirjamholleman . nl cirugiauretra . es eadsmurraypugh . com
aodaichandung . com durganews . com
nativeformulas . com spsshomeworkhelp . com
hardinggroup . com bodyforwife . com lebellevue . fr
allentownpapershow . com
tonelektro . nl whittier5k . com liliesandbeauties . org actecfoundation . org
slimani . net solhaug . tk fransespiegels . nl asgestion . com aakritpatel . com
iyahayki . nl christ-michael . net collaborativeclass-room . org
milsing . hr homng . net
geisterradler . de groupe-frayssinet . fr arteservicefabbro . com
edgewoodestates . org
123vrachi . ru
gasolspecialisten . se delawarecorporatelaw . com
surespark . org . uk houseofplus . com jandaonline . com
blumenhof-wegleit-ner . at
qualitus . com thee . network hushavefritid . dk kuntokeskusrok . fi
irinaverwer . com pasivect . co . uk mariposapropaneaz . com
dublikator . com kaotikkustomz . com
calabasasdigest . com berliner-versi-cherungsvergleich . de
hhcourier . com renergysolution . com jobcenterkenya . com
femxarxa . cat satyayoga . de almosthomedogres-cue . dog
bildungsunderlebnis . haus
asiluxury . com
lapmangfpt . info . vn bierensgebakkramen . nl
koken-voor-baby . nl daniel-akermann-ar-chitektur-und-pla-nung . ch
thomas-hospital . de
outcomeisincome . com
besttechie . com abogadosadomicilio . es
sauschneider . info uimaan . fi
art2gointerieurpro-jecten . nl
sipstroysochi . ru autofolierung-lu . de esope-formation . fr gonzalezfornes . es
foretprivee . ca milestoneshows . com igorbarbosa . com autopfand24 . de freie-baugutachter-praxis . de
agence-reference-ment-naturel-geneve . net
gastsicht . de karacaoglu . nl hotelzentral . at creative-waves . co . uk
perbudget . com zewatchers . com humancondition . com
miraclediet . fun justinvieira . com
www.areteir.com
foretprivee . ca milestoneshows . com igorbarbosa . com autopfand24 . de freie-baugutachter-praxis . de
agence-reference-ment-naturel-geneve . net
gastsicht . de karacaoglu . nl hotelzentral . at creative-waves . co . uk
perbudget . com zewatchers . com humancondition . com miraclediet . fun justinvieira . com
funjose . org . gt datacenters-in-europe . com
ungsvenskarna . se bristolaeroclub . co . uk hokagestore . com
pmcimpact . com sahalstore . com sandd . nl calxplus . eu oncarrot . com
dutchbrewingcoffee . com
greenfieldoptimalden-talcare . com
xn--rumung-bua . online
ncuccr . org ceid . info . tr
zonamovie21 . net kisplanning . com . au pasvenska . se eraorastudio . com dezatec . es
helenekowalsky . com wien-mitte . co . at deprobatehelp . com jusibe . com cityorchardhtx . com
ceres . org . au blgr . be wolf-glas-und-kunst . de
tennisclubetten . nl ino-professional . ru
labobit . it dnepr-beskid . com . ua
pridoxmaterieel . nl lillegrandpalais . com binder-buerotechnik . at
galserwis . pl sloverse . com wmiadmin . com dubscollective . com humanityplus . org
systemate . dk lapinvihreat . fi caffeinternet . it slashdb . com fotoideaymedia . es
shiresresidential . com tsklogistik . eu skiltogprint . no morawe-krueger . de hugoversichert . de
aarvorg . com maureenbreezedan-cetheater . org
healthyyworkout . com ravensnesthomegoods . com
stopilhan . com
wellplast . se anybookreader . de gw2guilds . org crowcanyon . com new . devon . gov . uk
synlab . lt bigler-hrconsulting . ch promesapuertorico . com
blacksirius . de lucidinvestbank . com
micahkoleoso . de digivod . de tanciu . com team-montage . dk bockamp . com
candyhouseusa . com n1-headache . com pocket-opera . de ausbeverage . com . au galleryartfair . com
levdittliv . se kedak . de ledmes . ru corola . es praxis-foerderdiagnos-tik . de
thedad . com tophumanservi-cescourses . com
ra-staudte . de copystar . co . uk streamerzradio1 . site
completeweddingkan-sas . com
milltimber . aberdeen . sch . uk
vanswigchemdesign . com
mylolis . com extraordinaryoutdoors . com
dubnew . com mooreslawngarden . com
nacktfalter . de wraithco . com siluet-decor . ru
vancouver-print . ca mezhdu-delom . ru modelmaking . nl jerling . de dr-pipi . de
mytechnoway . com johnsonfamilyfarm-blog . wordpress . com
kampotpepper . gives chandlerpd . com profectis . de
Referenceshttps://www.secureworks.com/research/REvil-sodinokibi-ransomwarehttps://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/92000/KB92632/en_US/Threat_Advisory_Sodinokibi-1.pdf https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html https://malpedia.caad.fkie.fraunhofer.de/
https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/
www.areteir.com