Sodinokibi Ransomware: What It Is, How It Works And How To Decrypt It

Check out HelpRansomware’s latest guide on Sodinokibi ransomware: what it is, how it works, and how to decrypt the virus.

What is Sodinokibi ransomware?

Sodinokibi, also known as REvil, is a very powerful ransomware that attacks devices by encrypting users’ files.

Like all ransomware, it asks for a ransom in exchange for the data, around 0.5 bitcoins, about $ 4,000.

According to the IBM report, the hackers behind the Sodinokibi ransomware earned $ 123 million in 2020, stealing about 21.6 terabytes of data.

As reported by the US government agency CISA (Cybersecurity and Infrastructure Service Agency), one of the most prolific attacks hit the software company Kaseya this summer.

The company was asked $ 70 million in bitcoin for the decryption key and promised not to publish the stolen data.

Usually, not paying the ransom makes it impossible to recover the encrypted files: the data is permanently destroyed or blocked.

In general, it’s hard to notice that you’ve been hit by ransomware, and by the time you do, it’s already too late.

A symptom of the attack is the inability to open the files on your device.

On the other hand, these documents, photos, etc., have a different extension, for example, my.docx.locked.

Who is behind Sodinokibi ransomware?

Finding out who was behind the Sodinokibi ransomware was not easy, and this question still does not have a single answer.

More information on REvil is available from January 2020, when several cybersecurity and law enforcement specialists joined forces.

As INTERPOL Secretary General Jürgen Stock points out:

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action.”

A joint INTERPOL investigation with other investigative forces led to the arrest of many hackers responsible for Sodinokibi ransomware attacks.

The authors of the virus may be from Russia and connect with the creators of the GandCrab ransomware.

One of the first hacker groups, called Lalartu, confirmed the connection, responsible for various cybercrimes.

However, the main problem with Sodinokibi ransomware is that it uses Raas technology; it is continually developed with new derivative versions and different configurations.

For example, an attack was launched in July involving over 1,500 affiliates, affecting more than 1,000 companies simultaneously.

Investigations have shown that some hacker groups are even hiding within WordPress sites.

Alternatively, they can be reached through the XMPP gateway, an instant messaging service, which allows the use of a secure channel.

How does Sodinokibi ransomware work?

As mentioned before, Sodinokibi ransomware functions as a ransomware-as-a-service (Raas).

This way of spreading the malware involves the presence of two groups that collaborate in the hacking activities.

On the one hand, there are the ransomware code developers; on the other hand, the affiliates choose the targets to hit and are responsible for the spread of the virus and the ransom.

Here are some of the more common methods by which Sodinokibi ransomware is distributed:

• Brute force attacks;
• Phishing campaigns, through infected email attachments;
• Torrent websites;
• Malvertising.

Another widespread method involves exploiting server vulnerabilities, as was the case with Oracle WebLogic.

The virus can bypass the antivirus software and thus enter the device.

Once inside, the Sodinokibi ransomware downloads a .zip file with the ransom code; subsequently, it moves around the network to encrypt the files, to which it adds a random extension.

Thus appears the screen of a computer infected with REvil.

Instead of putting the instructions in the ransom note text, the criminals behind Sodinokibi direct users to two websites:

• A .onion site hosted on TOR free software;
• A website located in the public part of the web, registered with the “decryptor” domain.

Sodinokibi ransomware can also modify operating system settings to redirect Internet traffic to a hacker-controlled server.

By doing so, it will behave like spyware, allowing criminals to spy on the victim’s activities.

This behavior, coupled with data collection, makes Revil Sodinokibi a dangerous threat.

Can Sodinokibi ransomware steal data?

Yes, unlike Phobos ransomware, Sodinokibi ransomware can steal data.

One of the techniques used by hackers is to steal data from victims before encrypting devices; the stolen files will then be used for the benefit of the criminals to extort the ransom.

The virus enters the device and begins installing various Trojans to allow hackers to act remotely.

At the same time, ransomware searches for information and locks files with encryption.

Opening encrypted files is a complicated operation that requires specific skills in cybersecurity and decryption.

Contact HelpRansomware specialists to fix the problem quickly and safely.

How to decrypt Sodinokibi ransomware?

We have previously provided you with a guide with ransomware decryption tools.

In this case, however, you have to consider that manual removal could be a long and complicated process.

Bitdefender recently released a free downloadable universal decryption tool.

The aim is to help victims of Sodinokibi ransomware recover their encrypted files.

The decrypter was developed together with the police, and this confirms its effectiveness.

However, this tool only works with files encrypted before July 13, 2021.

To be sure to eliminate the root problem and recover the encrypted files, the best option is to contact specialists.

Contact HelpRansomware to receive a free first ransomware evaluation:

• Immediately terminate communication with the hacker and send the ransom note and an infected file to one of our experts;
• We locate and analyze the ransomware crisis.; based on this, we estimate the costs and times of the recovery process;
• The data decryption process begins with a 100% guaranteed service;
• Your files will be recovered and delivered quickly.

The company has been dedicated exclusively to IT security for over 28 years and is a world leader in this sector.

Having specialists by your side is essential with such aggressive ransomware.

The hackers behind Sodinokibi ransomware punish anyone who tries to remove the virus from their computer.

The seriousness of their threats can be seen in the fact that they have often published victims’ data online to warn others against any attempt to remove the malware.

For this reason, you must always consider that the best response to a ransomware attack is a proactive attitude.

Take steps to prevent ransomware attacks from protecting your computer and privacy.

Do I have to pay the ransom of Sodinokibi ransomware?

No, you never have to pay the ransom for Sodinokibi ransomware.

It is useless to turn around: you must never pay the ransom.

Report the attack to the IC3 (for the USA) and Action Fraud (from the UK); and immediately contact the HelpRansomware specialists to restore the encrypted files.

Paying the ransom should be the last option you think of because it’s just a way to encourage hackers to act aggressively.

Furthermore, the Sodinokibi ransomware has a particular mode of action called double extortion.

This method was introduced by the creators of the Maze ransomware; then, it was also exploited by other malware such as Sodinokibi, DoppelPaymer, and Nemty.

Double extortion forces the victim to pay the ransom even if they have a usable backup.

As we mentioned earlier, the data extracted from the first encryption is stolen and exposed on a public site or the Dark Web.

By doing so, the hackers push the victim to pay the ransom to avoid disclosing personal information.

This threat has a substantial impact on both individuals and companies.

Not surprisingly, the sector most affected by Sodinokibi ransomware is financial services, which store banking information of their users.

In second place are the manufacturing industries, targeted above all for patents.

Conclusions

These are the conclusions you can draw from our Sodinokibi ransomware article:

• Sodinokibi, also known as REvil, is very powerful ransomware that attacks devices by encrypting files;
• The hackers behind Sodinokibi earned $ 123 million in 2020;
• Sodinokibi ransomware functions as a ransomware-as-a-service (Raas);
• Sodinokibi can steal the victim’s data and spread it on the web to extort the ransom.

Remember that no matter how dangerous the threat may be, you must never pay the ransom.

Contact HelpRansomware to recover the encrypted files: the service is 100% guaranteed.