Sodinokibi Ransomware

Sodinokibi Ransomware Description

Sodinokibi Ransomware ScreenshotSodinokibi Ransomware is a new malware threat that is gaining traction in the cybercriminal circles. Although Sodinokibi operates in the typical ransomware fashion - it infiltrates the victim's computer, uses a strong encryption algorithm to encrypt the files, and demands a payment for their restoration, analyzing its underlying code reveals that it is an entirely new malware strain and not an updated variant of an already existing ransomware.

Zero-Day Exploit Facilitates First Sodinokibi Attack

Sodinokibi was first detected on April 25 when it was used in an attack that exploited a zero-day Oracle WebLogic Server vulnerability. The severity of the zero-day exploit couldn’t be understated as it allowed the remote execution of code without any of the otherwise required authentication credentials. Oracle issued a patch on April 26, outside of their regular patch cycle, to fix it and to assign the vulnerability as CVE-2019-2725.

Through the exploit the attackers were able to download the Sodinokibi payload to the endpoint machines without the need of any user input. Usually ransomware threats require at least some interaction from victims before the infection can begin. Once inside, Sodinokibi starts encrypting all files with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

For each infected system, Sodinokibi generates a distinct alphanumeric string that can be between 5 and 9 characters long and appends it as a new extension to every successfully encrypted file. The ransomware then creates a text or HTA file with the ransom note in every folder containing encrypted files. The name of the ransom note follows the pattern - [RANDOM EXTENSION]-HOW-TO-DECRYPT.txt. For example, if Sodinokibi has generated a5b892t as an extension for the particular machine, the ransom note will be named a5b892t-HOW-TO-DECRYPT.txt.

Sodinokibi ransomware has the functionality to utilize "cmd.exe" to execute the vssadmin utility to prevent the users from restoring the encrypted files through the default Windows backup mechanics. More specifically, the ransomware executes the following commands to delete the Shadow Volume Copies of the affected files and to disable the Windows startup repair:

C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Sodinokibi Demands A Hefty Sum For Decryption

Instead of putting their instructions and demands in the body of the ransom note, the criminals behind Sodinokibi direct all affected users towards two websites - a .onion site hosted on the TOR network and one on the public part of the Internet at the domain "decryptor[.]top." The full text of the note is:

"--=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ----------.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: hxxps://torproject.org/
b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/913AED0B5FE1497D

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:
Key:

-

Extension name:

-----------

-----------------------------------------------------------------------------------------

!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!"

In order to access either of the sites listed in the note, users have to input a specific key that can be found in the text file of the ransom note. Once the code has been entered, they will be taken to the following landing page that will display the specific extension ID code for the computer system and a countdown timer showing that in two days the ransom sum will double in size - from $2500 to $5000, payable in the Bitcoin cryptocurrency. The website recalculates the Bitcoin/USD rate every 3 hours and updates the shown numbers.

Sodinokibi Ransomware screen shot

Sodinokibi Ransomware Expands Its Reach

Following the patch that shut down the Oracle WebLogic zero-day, researchers observed an increase in the attack vectors employed to distribute the Sodinokibi ransomware. In fact, nearly all of the possible distribution methods have now been attempted:

Spam Email Campaigns - German users were targeted by a malicious spam campaign that carried the Sodinokibi payload in compromised email attachments posing as urgent foreclosure notifications. Another email campaign pretended to be a "New Booking" from Booking.com. In order to access the supposed booking information, users have to open a word file and then allow the execution of macros. Doing so will initiate the Sodinokibi ransomware infection.

Replacing legitimate software downloads - According to TG Soft, an Italian WinRar distributor got its site compromised, resulting in the download of Sodinokibi ransomware instead of the WinRar program.

Hacked Managed Service Providers (MSPs) - Several Managed Service Providers were hacked to distributed Sodinokibi ransomware to their clients. Apparently the attackers used Remote Desktop Services to enter the networks of the affected MSPs and then pushed the ransomware files through the management consoles to the endpoint machines of the clients.

Exploit Kits - Malvertising campaign through ads on the PopCash ad network appears to be redirecting users to websites carrying the RIG Exploit Kit under certain conditions.

It is more than apparent that the Sodinokibi affiliates are getting more ambitious and may now be trying to fill the vacuum that was created as a result of the GandCrab Ransomware operators shutting down their operations and claiming to have generated over $2 billion in ransom payments.

Update January 17th, 2020 - Sodinokibi Starts To Play Rough

The threat actors behind the Sodinokibi ransomware ended 2019 on a high note, hitting Travelex, a foreign exchange company based in the UK, and operating in more than 70 countries worldwide. Travelex’s websites in around 30 countries had to be taken down on New Year’s Eve, for what appeared to be ‘’planned maintenance’’, but turned out to be a countermeasure to stop the Sodinokibi ransomware from spreading. The attack also affected Travelex’s partners, such as HSBC, Barclays, Sainsbury’s Bank, Virgin Money, Asda Money, and First Direct.

Due to the scale of the attack and the nature of Travelex’s business, it was no wonder that the hackers demanded a ransom payment that jumped from $3 million to $6 million in a matter of a few days. The threat actors also decided to show everyone that they mean business by threatening to release stolen sensitive information. Travelex, on the other hand, denied that any info was exfiltrated. A few days later, however, a user on a Russian hacking forum, going by the name Unknown, reiterated the cyber crook’s threats against Travelex and Chinese company CDH Investments. This was done by the publishing of 337MB of data that was allegedly stolen from Artech Information Systems.

This amount of stolen data pales in comparison to the 5GB that were allegedly exfiltrated from Travelex systems. The hackers have vowed that Travelex would pay, one way, or another. Meanwhile, Travelex has stated that the company is cooperating with Metropolitan Police and the National Cyber Security Centre(NCSC) in resolving the case. Travelex has also gone into emergency brand management, promising transparency, and the release of a recovery roadmap.

Sodinokibi doesn’t seem to be showing any signs of slowing down either, hitting a New Jersey Synagogue on January 9th, 2020, and demanding a ransom of $500 thousand under the threat that the threat actors will release sensitive data about the congregants.

No matter if Sodinokibi will manage to take the spot of the top current ransomware, there are certain steps that could help all users build a strong defense against such ransomware attacks. One of the most reliable methods is to create a system backup that is stored on a drive not connected to the network. By having access to such a backup, users can simply restore the files that have been taken hostage by the malware with minimal loss of data. In addition, using a legitimate anti-malware program and keeping it up-to-date could mean that some ransomware threats are stopped even before they have had the chance to execute their malicious coding.

Do You Suspect Your PC May Be Infected with Sodinokibi Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Sodinokibi Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Technical Information

File System Details

Sodinokibi Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 C:\Users\SSW08\Desktop\celfa_.exe 890,880 9dbb65b1a435a2b3fb6a6e1e08efb2d0 11

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.