Written by: Alyssa Bear – Cybersecurity Analyst, MSPAlliance

MSPs are beginning to face an updated type of ransomware that uses their systems to target their Customers. A new version of Sodinokibi can now exploit vulnerabilities in applications that allow remote code to be executed without authentication. This type of vulnerability has been identified in Oracle WebLogic Server and an RMM that is used by the MSP community.

So far, Sodinokibi mostly targets enterprise-scale businesses. However, this attack method will most likely become more prevalent in attacks on small and medium-sized businesses. Sodinokibi has already affected Customers of MSPs and will continue to assess MSP environments for automatic deployment vulnerabilities.

Once Sodinokibi is deployed to Customer environments, Customer files are encrypted, and a traditional ransomware message is displayed. While other ransomware enables payment for a single ID, Sodinokibi requires payment for all encrypted IDs.  

History of Sodinokibi

Sodinokibi was discovered in late April 2019 and was used to exploit a deserialization vulnerability known as CVE-2019-2725 in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, meaning it can be exploited to all remote endpoints without the need for a username or password. Sodinokibi used this to elevate privileges in Windows and use legitimate functions to bypass security measures. Oracle issued a patch outside of their normal patch cycle because of the severity of the vulnerability, which shows how dangerous this exploit is. 

Oracle Fusion Middleware Risk Matrix gives this exploit a base score of 9.8. The base score is defined as “a numeric value between 0.0 and 10.0 to indicate the severity of the vulnerability, where 10.0 represents the highest severity. Each risk matrix is ordered using this value, with the most severe vulnerability at the top of each risk matrix.” CVE-2019-2725 is easy to exploit because Sodinokibi executed through the HTTP protocol, meaning that anyone with access to the WebLogic server could carry out an attack. 

Once this ransomware was able to breach MSPs via remote desktop endpoints and was able to escalate its privileges, it uninstalled detected antivirus products. Following this, the hackers searched for accounts utilizing Webroot SecureAnywhere and execute a Powershell script on remote workstations releasing Sodinokibi.

Sodinokibi is unique because it utilized a zero-day exploit cyber-attack, which is an attack “that occurs on the same day a weakness is discovered in software.” The use of a zero-day is atypical to the distribution pattern of ransomware that is motivated financially. According to Kaspersky, organizations at risk from a zero-day attack can employ a few means of detection. Some methods of protection include using a virtual local area network (VLAN) to protect transmitted data, using a properly configured firewall, using a secure Wi-Fi system to protect against malware attacks, and using a secure socket layer (SSL), which secures information sent between the user and the site. It is strongly encouraged to use 2FA or MFA to the extent possible on all applications. This is all relevant to becoming compliant with today’s industry standards and best practices, which help prevent attacks like this from happening to an MSP.


Tags : cybersecurity,MSPs,ransomware,RMM,Sodinokibi

Post A Comment
YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.






Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.