Meet Sodinokibi, a ransomware strain that exploits a critical Oracle server flaw

Digital extortionists are exploiting a bug with a severity score of 9.8 out of 10 that Oracle sought to squash with a patch issued last week.
Oracle, RSA 2019
(Scoop News Group photo)

Hackers are exploiting a critical vulnerability in a widely used Oracle service to distribute a new strain of ransomware that attempts to encrypt data in a user’s directory, then make recovery more difficult by deleting trustworthy backups, according to research published Tuesday.

Attackers are trying to infect victims with a new variant of the Sodinokibi ransomware by leveraging a known security flaw in Oracle’s WebLogic Server, according to Cisco’s Talos threat research team. The digital extortionists are exploiting the flaw known as CVE-2019-2725, a bug with a severity score of 9.8 out of 10 that Oracle sought to squash with a patch issued April 26, outside the company’s normal patch cycle.

“Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,” Cisco’s Talos team wrote in a blog post. “In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware,” encrypting a number of companies without any such interaction.

WebLogic Server is a popular Java-based tool typically used by businesses to support enterprise apps. Hackers have been increasingly interested in it over the past year, perhaps because Oracle’s next security update is not scheduled until July, and more than 36,000 publicly accessible servers remain vulnerable to attack, ZDNet reported last week.


After installing the Sodinokibi ransomware — and typically charging roughly $2,500 in bitcoin to decrypt the files — attackers then attempt to launch a strain of the GandCrab ransomware, perhaps because “the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” researchers speculated.

WebLogic Servers have been especially popular among hackers trying to carry out their own illicit cryptomining operations. Researchers at TrendMicro, for instance, have found numerous cases last year in which scammers mined for Monero after carrying out an attack on WebLogic targets.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts