Tencent Yujian: sodinokibi ransomware attacks a large number of Chinese and Korean companies, the users are blackmailed 0.15 bitcoins

The Tencent Yuzhi Threat Intelligence Center issued a statement today that the Tencent Security Guardian Threat Intelligence Center has recently detected a large number of sodinokibi ransomware spread by phishing emails to attack Chinese and Korean companies. Zhongzhao users were blackmailed 0.15 bitcoins (market value 7800 yuan). Zhongzhao enterprises are mainly concentrated in Guangdong, Shandong, Jiangsu, Shanghai, Beijing and other places. The main victims include IT companies, scientific research and technical service organizations, and traditional manufacturing. enterprise. The phishing email is disguised as the theme of “repayment of debts” and “payment remittance advice”, and a compressed file containing ransomware is added to the attachment. The Chinese version is “your account.zip” and the Korean version is “송장10.2019.zip”. After decompression, they are "payment invoice.xls.exe" and "10 월송장.xls.exe", which are sodinokibi ransomware disguised as a form file. From the sample format of phishing email content, the theme and the sample type of delivery, the attack against China and South Korea is the same source.