Description of Campaign:
The Sodinokibi ransomware appends a random extension to encrypted files, reporting it has doubled the price of the ransom if not paid on time. The malware is actively distributed through Managed Service Providers. It takes advantage of server flaws, spam campaigns, and exploit kits. There are multiple individual campaigns, targeting different global sectors.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC:

IOC	Value
MD5	a30108f037b6862c97fb296b85ced917
MD5	99ef2192829052369f623808933d12b8
URL	hxxps://pastebin.com/raw/HsgW6pUr
URL	hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2D97495C4BA3647

 
Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9368
V3 DAT (Endpoint Security)	3827

 
Detection Summary:

IOC	Scanner	Detection
a30108f037b6862c97fb296b85ced917	AVEngine V2	Ransom-Sodinokibi.d, Sodinbokibi
	AVEngine V3	Ransom-Sodinokibi.d, Sodinbokibi
	JTI (ATP Rules)	239
	RP Static	-
	RP Dynamic	Real Protect-PSFL!

 

IOC	Scanner	Detection
99ef2192829052369f623808933d12b8	AVEngine V2	Ransom-REvil!
	AVEngine V3	Ransom-REvil!
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	Real Protect-EC!

 
Minimum set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Endpoint Security - Exploit Prevention:
            Rule ID: 6087 PowerShell Command Restriction - EncodedCommand
 
Endpoint Security - Advanced Threat Protection:
            Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
 
Endpoint Security - Dynamic Application Containment:
           Executing any child process            
Aggressive set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Virusscan Enterprise – Access Protection Rules:
           Prevent programs registering as a service  
Host Intrusion Prevention:
           Rule ID: 6010 Generic Application Hooking Protection  
Endpoint Security – Access Protection:
            Running files from common user folders           
 
Endpoint Security - Dynamic Application Containment:
           Modifying files with the .bat extension  
Virusscan Enterprise - Access Protection Rules: