2 min Security

Kaspersky: Sodin-ransomware used zero day in Windows and CPU architecture

Kaspersky: Sodin-ransomware used zero day in Windows and CPU architecture

The ransomware Sodin uses a zero day leak in Windows to obtain access rights to infected systems. In addition, it uses the CPU architecture to prevent detection. According to Kaspersky researchers, this is hardly ever the case with ransomware.

The Sodin malware is a Ransomware-as-a-Service, which means that distributors can choose how the malware spreads. According to Kaspersky, there are indications that it is distributed through the online sale of partner programs.

In this case, for example, there is a gap in the functionality of the malware, which allows them to encrypt files without a user noticing it. Thanks to a masterkey, no distributor key is required for the encryption.


For example, it is striking, as the security specialist goes on to say, that the malware does not need any user interactions to get to vulnerable servers. In many cases, the attackers find a vulnerable server and send a command to download a rogue file called radm.exe. In this way, the ransomware is stored and executed on a local computer.

Sodin is also difficult to detect because it uses the Heavens Gate technique. With this technique, a program can execute 64-bit code from a 32-bit active process. According to Kaspersky researchers, ransomware hardly ever does this.

The researchers believe that the hackers use the technique for two different reasons. First of all, this is to make the analysis of malicious code more difficult, as not everyone knows and recognizes the technique. In addition, detection by security programs is prevented.


Jornt van der Wiel, security expert at Kaspersky, indicates that an extensive and sophisticated version of ransomware such as Sodin is rarely encountered. Using the CPU architecture to stay under the radar is not common practice for encryptors. Moreover, there is a lot of work involved in building such malware. That makes it likely that Sodin-encrypted attacks will increase. Of course, the developers want to recoup their investments.

Sodin has mainly affected devices in the Asian region, but attacks have also been observed in Europe, Latin America and North America. The ransomware leaves a ransom note after it has been infected and encrypted, demanding $2,500 in bitcoins.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.