Just days ago, the Sangfor security team, acting on customer feedback, became aware that several customers networks had been intruded by a ransomware virus. Careful analysis revealed the newest variant of GrandCrab, since named Sodinokibi, was causing the blue screens reported by customers.
Sodinokibi ransomware is similar to GandCrab in code design and function. It employs anti-debugging and obfuscation techniques (in addition to continuous debugging), uses RSA and AES algorithms to encrypt files, adds random character strings to file name as an extension and, replaces wallpaper with a dark blue picture with a threatening title. Sodinokibi dorps a ransom note file that is appended, "encrypted extension-readme.txt" or "encrypted extension-HOW-TO-DECRYPT.txt."