Sodinokibi Ransomware (Analysis and Recovery Options)
This page details everything you need to know about Sodinokibi ransomware. If you have been hit by Sodinokibi ransomware and need help recovering your data, we're here to help.
Table of Contents
What is Sodinokibi ransomware?
Sodinokibi (also referred to as Sodin, Sodi or REvil) is a ransomware strain first detected in April 2019. It has already become one of the most frequently distributed ransomware variants.
Sodinokibi is a Ransomware-as-a-Service variant (RaaS). RaaS variants are developed by code authors and spread by affiliates to infect systems and collect a ransom. Sodinokibi specifically will double the demanded ransom amount if the ransom is not paid within seven days.
Below is an example Sodinokibi ransomware portal that victims are directed to for further instructions.
Prior to encrypting user files, Sodinokibi wipes out all backups in the file system and network shares. Additionally, before wiping the backups, Sodinokibi overwrites them with random bytes to make recovery impossible.
Sodinokibi also deletes shadow copies from the device using vssadmin.exe, increasing the difficulty of recovery.
Once the Sodinokibi attackers have gained access, they typically elevate their user rights to execute the ransomware virus. Elevated user rights also provides the most uninhibited access for the operators to access as many files and resources on the system as possible.
If the core ransom code is not deleted and the vulnerabilities are not patched, Sodinokibi may reinstall itself.
Sodinokibi is commonly distributed by a variety of methods covered later in this article.
Sodinokibi ransomware Indicators of Compromise (IoC)
There are several Sodinokibi ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer.
Sodinokibi Encrypted Files
If your data is encrypted from Sodinokibi ransomware, you will notice a different extension attached to each file. The extensions are between 5-8 characters randomly generated by the ransomware encryption utility.
Sodinokibi Ransom Note
You will also find a Sodinokibi ransom note as a .TXT file located in every folder on your computer. The .TXT file will typically have the words “readme” and contain an alphanumeric code with a hyphen. For example: 32n7paf41.- readme.txt.
Below you will find an example of a Sodinokibi ransom note
Ransom note left by Sodinokibi ransomware
The Sodinokibi ransom note provides the victim with instructions on what to do next if they want their files decrypted. Each Sodinokibi ransom note includes:
- Unique key ID needed to access the Tor portal and associated with encrypted file extensions on your computer
- Tor browser portal address
If you are looking to have your data recovered, it is important to not delete the Sodinokibi ransomware note as this information will be used during the ransomware recovery process.
Sodinokibi Ransomware Portal
A different Tor portal is uniquely generated for each Sodinokibi ransomware victim. This site is only available via the Tor browser link found in the .TXT ransom note file on the victim computer.
This portal displays:
- Time remaining for victim to pay (before the ransom demand doubles)
- Ransom amount in cryptocurrency Monero (XMR) to receive unlocking decryptor
- Online chat portal to communicate with Sodinokibi operators
Below you will find an example of a Tor portal:
(Example Tor portal for Sodinokibi)
Additionally, the Sodinokibi ransomware portal has a feature where victims can upload a sample encrypted file and have it decrypted. The ransomware operators do this to showcase that the Sodinokibi decryption works.
Below is an example trial Sodinokibi decryption tool found on the ransomware portal:
How to stop Sodinokibi ransomware
You can stop Sodinokibi ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices.
Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.
How much will Sodinokibi ransomware recovery cost?
The average cost of the Sodinokibi ransom was $180,763 in 2020. The range of ransom demands were between $25,000 – $2,000,000.
There are several factors that may influence the total cost of recovering files encrypted by the Sodinokibi ransomware.
- Assessment fee
- Number of encrypted systems
- Selected priority of service
- Ransom demand amount
How much do Sodinokibi ransom demands cost?
Our data from Q4 of 2020 concludes that the initial average Sodinokibi ransomware demand is $180,763.
Once you enter the Tor portal it starts the 7 day timer until the ransom amount doubles.
Sodinokibi ransomware prefers payment in Monero cryptocurrency, charging victims an additional 10% if they request to pay in bitcoin.
Monero cryptocurrency makes ransom payments more difficult for law enforcement to trace given that it is a privacy coin. The Sodinokibi operators have indicated that they plan to stop allowing bitcoin payments.
The graph below shows the comparison between the average initial ransom demand of Sodinokibi ransomware and other common variants.
Proven Data is experienced in helping to negotiate for a lower ransom demand from Sodinokibi operators. Based on our internal data, It is likely that the Sodinokibi operators determine their ransom demands based on the size and type of the victim’s organization.
How to decrypt Sodinokibi ransomware
If your files are locked from Sodinokibi ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
Unlock Sodinokibi encrypted files
The encryption algorithm for Sodinokibi uses AES and Salsa20, making it too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized with data restoration efforts.
This leaves victims of Sodinokibi with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.
Sodinokibi Decrypter Instructions
The Sodinokibi decryptor is fairly easy to use compared to other ransomware decryptors. Here are the steps to run the Sodinokibi decrypter tool:
1. Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).
2. Right click the decryption executable file and run as administrator.
3. Two windows will open, one a DOS window and the other a user interface.
4. In the user interface, you can choose the “create backup” option. This feature allows the decrypted to make a copy of the file, and then automatically delete the temporary file after the file is restored.
We advise you to create an offline backup copy before using the decrypter. Please note that this may cause space issues since each file will have two copies.
5. For the decryption method, you have three options:
- Decrypt all: decrypts all drive letters accessible from the system
- Decrypt folder: decrypter only a folder of your choosing
- Decrypt file: decrypts only a file of your choosing
6. After selecting the option you prefer you will see the number of decrypted files appear in the “progress” box.
This Sodinokibi decryption tool is only available if the victim chooses to pay the ransom as a method to unlock their encrypted files.
How long does it take to recover from a Sodinokibi ransomware attack?
There are several factors which contribute to the time it takes to recover from a Sodinokibi attack. These include:
- Cleaning the environment from malware
- Securing vulnerabilities
- Negotiation time
- Compliance checks & making the ransom payment
- Decrypting the data
- Size of the network
- Number of files, file sizes & types
- Backing up and verifying the data
For a network with 1-3 servers and 10-15 workstations it takes approximately 1-3 business days to complete the full recovery process.
What attack vectors did Sodinokibi ransomware use?
Sodinokibi typically targets published vulnerabilities. Below you will find a outline of the most common ransomware attack vectors exploited by Sodinokibi ransomware:
- Unsecured Windows Remote Desktop Protocol (RDP) access utilizing brute-force or a dictionary attack.
- Oracle WebLogic vulnerability allows remote code execution over a network via bypassing authentication like usernames and passwords.
- Spam or email campaigns which contain malicious attachments or links
- Malicious advertising campaigns (malvertising) utilizing the RIG exploit
- Compromised managed service provider (MSP) networks which are used to launch further attacks on the MSP clients via a remote management software
Does Sodinokibi ransomware steal data?
The operators of Sodinokibi ransomware are known to further extort victims by threatening to leak stolen data. As part of the ransomware attack, data might have been exfiltrated from the network prior to being encrypted.
This double-extortion tactic is challenging because even if the victim organization has data backups, they still risk the data being published to a public portal or the dark web. Victims may fear:
- Brand reputation damage
- Loss of intellectual property
- Data breach liability
Preserving evidence from Sodinokibi ransomware
In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.
Here are the steps to preserve the forensic evidence:
- Do not shut down the computer or server as this will erase some artifacts
- Create a forensically sound image and take it offline
- Download firewall, VPN, and remote software logs
- Document all information pertaining to the ransomware attack
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
Why choose Proven Data Sodinokibi ransomware recovery?
Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the Sodinokibi ransomware variant.
Our firm understanding of the Sodinokibi ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to fully recover from the attack.
To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that can be used for insurance or law enforcement reporting purposes.
If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate Sodinokibi cyber incident, we are here to help.
Most frequent questions and answers
There are currently no publicly available Sodinokibi ransomware decryption tools to assist victims unlock their files. If your files are encrypted by Sodinokibi, you may have to recover your data by:
- Recreating the data from scratch
- Restoring from backups
- Paying the ransom
No, it is currently not possible to decrypt Sodinokibi encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.
Sodinokibi ransomware tends to have a high success rate of data restoration after paying the ransom and going through the decryption process. Compared to other types of ransomware, the decrypter tool is relatively straightforward to use and doesn’t have any known bugs.
Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous Sodinokibi ransomware cases, we can determine the threat actor’s past reputation and risk for data corruption to help you make informed decisions.
In 2020 our records indicate that Sodinokibi delivered the decryption tool after the first ransom payment, and no re-extortion attempts were made.
Sodinokibi is known to download sensitive data from victim’s networks when they gain access. A digital forensics investigation can help you learn about what may have been removed from your network during the incident.
The forensic report can be used to satisfy regulatory requirements for HIPAA or other regulated data you may store on your network.