Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware.

Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims’ networks for credit card or point of sale (PoS) software. Researchers believe this is a new tactic designed to allow attackers to get the biggest bang for their buck – ransom payments and credit card data.

The compromise of PoS software – which is commonly installed on credit card terminals at retailer stores or restaurants – is a cybercriminal favorite for siphoning credit card information from unknowing customers. In this campaign, researchers found the Sodinokibi ransomware sniffing out PoS systems on the compromised networks of three “large” unnamed companies in the services, food, and healthcare sectors.

However, it’s not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.

“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” said Symantec researchers in a Tuesday analysis. “It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”

#malware #web security #bruce force #cobalt strike #credit card #data theft #malware #point of sale #pos #powershell #ransomware #rdp #shell code #sodinokibi