Cyber Incident Victim: Italian Compression Solutions

The Sodinokibi ransomware campaign involving the Winrar.it distributor site occurred in mid-June 2019 as part of a broader affiliate-driven operation filling the void left by GandCrab's shutdown. Attackers compromised the legitimate Winrar.it software distribution website to deliver malicious payloads, leveraging the site's trusted status to infect visitors. This method operated alongside two other parallel infection vectors: compromised Managed Service Provider (MSP) platforms including Webroot, Kaseya VSA, and ConnectWise, which attackers used to push ransomware through management consoles, and Booking.com-themed spam emails distributing weaponized Word documents. In the Winrar.it compromise, threat actors altered the site to facilitate ransomware deployment, though specific technical details of the website modification were not disclosed in available sources. The final payload involved PowerShell scripts hosted on Pastebin that downloaded and executed Sodinokibi ransomware binaries.

The ransomware encrypted victims' files across compromised systems, rendering data inaccessible until ransom payments were made. Security researchers observed the campaign's rapid propagation through these multiple vectors, noting its operational maturity in mimicking legitimate traffic and infrastructure. No specific victim count or industry targeting was detailed for the Winrar.it component, though the broader campaign affected MSP clients and spam email recipients. Response actions were limited to industry detection and analysis, with security firms documenting the attack patterns and infrastructure. The incident highlighted ransomware affiliates' adaptability in exploiting software supply chains, trusted business platforms, and phishing lures simultaneously to maximize infection rates. Financial impacts stemmed directly from operational disruption and ransom demands against affected entities.