Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims’ networks for credit card or point of sale (PoS) software. Researchers believe this is a new tactic designed to allow attackers to get the biggest bang for their buck – ransom payments and credit card data
The compromise of PoS software – which is commonly installed on credit card terminals at retailer stores or restaurants – is a cybercriminal favorite for siphoning credit card information from unknowing customers. In this campaign, researchers found the Sodinokibi ransomware sniffing out PoS systems on the compromised networks of three “large” unnamed companies in the services, food, and healthcare sectors.
However, it’s not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.
“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” said Symantec researchers in a Tuesday analysis. “It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”
Before delivering the Sodinokibi ransomware, the attackers first compromised companies with the Cobalt Strike commodity malware. As part of this campaign, researchers found eight organizations with the Cobalt Strike commodity malware on their systems. Attackers would not execute the ransomware on all of these firms – only three of the eight Cobalt Strike victims were found to be additionally infected by the Sodinokibi ransomware. [....]