Sodinokibi Ransomware

Sodinokibi Ransomware Description

Sodinokibi Ransomware ScreenshotSodinokibi Ransomware is a new malware threat that is gaining traction in the cybercriminal circles. Although Sodinokibi operates in the typical ransomware fashion - it infiltrates the victim's computer, uses strong encryption algorithm to encrypt the files, and demands a payment for their restoration, analyzing its underlying code reveals that it is an entirely new malware strain and not an updated variant of an already existing ransomware.

Zero-day Exploit Facilitates First Sodinokibi Attack

Sodinokibi was first detected on April 25 when it was used in an attack that exploited a zero-day Oracle WebLogic Server vulnerability. . The severity of the zero-day exploit couldn’t be understated as it allowed the remote execution of code without any of the otherwise required authentication credentials. Oracle issued a patch on April 26, outside of their regular patch cycle, to fix it and to assign the vulnerability as CVE-2019-2725.

Through the exploit the attackers were able to download the Sodinokibi payload to the endpoint machines without the need of any user input. Usually ransomware threats require at least some interaction from victims before the infection can begin. Once inside, Sodinokibi starts encrypting all files with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

For each infected system Sodinokibi generates a distinct alphanumeric string that can be between 5 and 9 characters long and appends it as a new extension to every successfully encrypted file. The ransomware then creates a text or HTA file with the ransom note in every folder containing encrypted files. The name of the ransom note follows the pattern - [RANDOM EXTENSION]-HOW-TO-DECRYPT.txt. For example, if Sodinokibi has generated a5b892t as an extension for the particular machine, the ransom note will be named a5b892t-HOW-TO-DECRYPT.txt.

Sodinokibi ransomware has the functionality to utilize "cmd.exe" to execute the vssadmin utility to prevent the users from restoring the encrypted files through the default Windows backup mechanics. More specifically, the ransomware executes the following commands to delete the Shadow Volume Copies of the affected files and to disable the Windows startup repair:

C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Sodinokibi Demands A Hefty Sum For Decryption

Instead of putting their instructions and demands in the body of the ransom note, the criminals behind Sodinokibi direct all affected users towards two websites - a .onion site hosted on the TOR network and one on the public part of the Internet at the domain "decryptor[.]top." The full text of the note is:

"--=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ----------.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: hxxps://
b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/913AED0B5FE1497D

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!"

In order to access either of the sites listed in the note, users have to input a specific key that can be found in the text file of the ransom note. Once the code has been entered, they will be taken to the following landing page that will display the specific extension ID code for they computer system and a countdown timer showing that in two days the ransom sum will double in size - from $2500 to $5000, payable in the Bitcoin cryptocurrency. The website recalculates the Bitcoin/USD rate every 3 hours and updates the shown numbers.

Sodinokibi Ransomware screen shot

Sodinokibi Ransomware Expands Its Reach

Following the patch that shut down the Oracle WebLogic zero-day, researchers observed an increase in the attack vectors employed to distribute the Sodinokibi ransomware. In fact, nearly all of the possible distribution methods have now been attempted:

Spam Email Campaigns - German users were targeted by a malicious spam campaign that carried the Sodinokibi payload in compromised email attachments posing as urgent foreclosure notifications. Another email campaign pretended to be a "New Booking" from In order to access the supposed booking information, users have to open a word file and then allow the execution of macros. Doing so will initiate the Sodinokibi ransomware infection.

Replacing legitimate software downloads - According to TG Soft, an Italian WinRar distributor got its site compromised, resulting in the download of Sodinokibi ransomware instead of the WinRar program.

Hacked Managed Service Providers (MSPs) - Several Managed Service Providers were hacked to distributed Sodinokibi ransomware to their clients. Apparently the attackers used Remote Desktop Services to enter the networks of the affected MSPs and then pushed the ransomware files through the management consoles to the endpoint machines of the clients.

Exploit Kits - Malvertising campaign through ads on the PopCash ad network appears to be redirecting users to websites carrying the RIG Exploit Kit under certain conditions.

It is more than apparent that the Sodinokibi affiliates are getting more ambitious and may now be trying to fill the vacuum that was created as a result of the GandCrab Ransomware operators shutting down their operations and claiming to have generated over $2 billion in ransom payments.

No matter if Sodinokibi will manage to take the spot of the top current ransomware, there are certain steps that could help all users build a strong defense against such ransomware attacks. One of the most reliable methods is to create a system backup that is stored on a drive not connected to the network. By having access to such a backup, users can simply restore the files that have been taken hostage by the malware with minimal loss of data. In addition, using a legitimate anti-malware program and keeping it up-to-date could mean that some ransomware threats are stopped even before they have had the chance to execute their malicious coding.

Do You Suspect Your PC May Be Infected with Sodinokibi Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Sodinokibi Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.