Remove and decrypt Sodinokibi ransomware

Sodinokibi ransomware: Tor website with ransom steps

What is Sodinokibi?

The ostensible chilling of the global ransomware climate is illusory, and the overall anticipation of the epidemic’s end turned out to be premature. Whereas mainstream crypto viruses actually saw a dramatic decline over the past two years or so, a more serious adversary emerged that is spreading mayhem in a somewhat different way. Instead of firing shots in the dark in an attempt to cover maximum victim audiences, well-motivated and sophisticated groups of cyber extortionists started zeroing in on big prey via targeted raids. Large businesses, healthcare institutions, and local governments are at risk now in 2019 more than ever before. The ransomware dubbed Sodinokibi, also known as Sodin or REvil, exemplifies this evolutionary transition in the nasty e-crime model.

Desktop alert displayed by Sodinokibi ransomware

For a start, here is a quick summary on this threat. Its distributors focus on hitting Windows based computer networks, with individual users being occasional victims as well. When inside an enterprise environment, Sodinokibi easily evades detection while obtaining privileges high enough to spread laterally within it. Having encrypted the most valuable data, the ransomware appends a unique alphanumeric extension to every file. It also replaces the desktop wallpaper with an alert saying that all the information has been encrypted and providing a reference to a ransom note named according to the following pattern: [random]-readme.txt or [random]-HOW-TO-DECRYPT.txt, where the prefix matches the extension assigned to the hostage files.

The attackers’ recovery manual instructs the user to visit a personal Tor page or, if it’s inaccessible in their country, to go to a “secondary website” using a regular web browser. The payment page instructs the victim to send $1,500-$2,500 worth of Bitcoin cryptocurrency to the criminals’ BTC wallet. After a deadline of up to seven days expires, the amount doubles. It’s worth emphasizing that the size of the ransom per large organization can be several times higher than that.

Sodinokibi TXT ransom note contents

Judging by the basic symptoms and tactics alone, it may appear that Sodinokibi is a run-of-the-mill ransomware with nothing special under the hood. This is a misconception. In fact, the strain features a number of characteristics that make it really stand out. One of these offbeat traits manifests itself in the contamination chain. In April 2019, when this infection was discovered, the only spreading mechanism boiled down to exploiting a security loophole in Oracle WebLogic Server software. Although it was an effective and sneaky method of trespass, the range of potential victims was limited. As time went by, the crooks in charge of Sodinokibi have enhanced their propagation logic with more techniques, including exploit kits, RDP compromise, phishing, and malspam (malicious spam).

The more “exotic” tricks involve breaches of well-known MSPs (managed service providers), as was the case with an attack against Kaseya RMM last June. Yet another vector, referred to as SWC (strategic web compromise), relies on hacking popular software vendors’ websites and replacing the original app installers with booby-trapped copies that end up dropping the ransomware payload onto users’ computers. As if this multitude of entry points weren’t enough, the malefactors have been also duping people to download the harmful code by redirecting them to malicious sites from compromised Internet forums.

Sodinokibi operators instruct victims to visit a Tor payment page for ransom steps

Sodinokibi ransomware is being distributed by numerous different groups of perpetrators. This approach is known as RaaS, which stands for Ransomware-as-a-Service. Its bears a close resemblance to a legit affiliate network, except that the underlying activities are shady to the bone. The authors of the deleterious program get a 30-40% share of all ransoms paid by victims, and the remaining amount is earned by the threat actors who deposited the infection onto machines. As per analysts’ reports, many of the affiliates spreading Sodinokibi used to be part of the RaaS network propping the advances of GandCrab, a now-extinct ransomware family that had dominated the ecosystem before the lineage under scrutiny surfaced. Moreover, there are evident similarities in the code of these two infections, which means they may have been crafted by the same developers.

At the time of writing, Sodinokibi is one of the world’s top ransomware threats in terms of technical complexity, AV evasion efficiency, victims made, and the total amount of ransoms collected from them. Here’s just one episode of this rampant campaign: in mid-August 2019, the black hats plagued 22 local governments in Texas by means of compromising a managed service provider responsible for IT tech support in the affected towns. The attackers’ demands were as high as $2.5 million. Pair that with an ever-increasing number of Sodinokibi victims, and the big picture gets scary. In case this ransomware has impacted a computer or enterprise network, the predictions regarding successful free recovery of the data aren’t very optimistic. However, a few forensic techniques should definitely be applied to see what information, if any, can be reinstated without submitting a fortune to the attackers.

Sodinokibi ransomware removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers, which represent another group of ransomware infections on the loose. The main challenge in regards to Sodinokibi/REvil ransomware is getting personal files back without having to do what the extortionists want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Now you’ve got both some good and bad news. On the one hand, Sodinokibi ransomware is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Recover encrypted files using Shadow Copies

As previously mentioned, despite successful removal of the Sodinokibi virus, the compromised files remain encrypted. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality

Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.

In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.

Restoring encrypted data with Shadow Explorer utility

Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:

Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic Recuva recovery software

It might sound surprising, but Sodinokibi ransomware does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.

Bottom line

The Sodinokibi crypto virus poses a critical risk to end users’ and organizations’ proprietary data, therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: train your personnel to refrain from opening email attachments from unknown senders, apply OS and software patches as soon as they are released, and schedule regular antivirus software updates. Before deciding to collaborate with MSPs (managed service providers), businesses should ask for evidence of proper security practices to make sure the partnering entity doesn’t become a loophole into enterprise network. Most importantly, performing data backups is the most reliable way to avoid the adverse aftermath of this attack.


What is Sodinokibi?

Sodinokibi, aka REvil or Sodin, is the analysts-coined denomination of a ransomware program mostly focusing on targeted attacks against businesses, healthcare facilities, and local governments. Discovered in mid-April 2019, it has evolved from a lineage propagating via a single vulnerability in server software, to one of the world’s nastiest ransom Trojans distributed in multiple highly sophisticated ways.

Sodinokibi is backed by a massive RaaS (Ransomware-as-a-Service) network that has pulled in an army of “affiliates” boasting outstanding attack skills and leveraging reconnaissance techniques to steal and exfiltrate valuable data from breached environments. In addition to catalogued server weaknesses, the intrusion mechanisms used by these different promoter groups span exploit kits, phishing, malspam, and RDP hacks. The crooks have also gained notoriety for applying privilege escalation maneuvers giving them extensive capabilities to control a compromised network.

As a byproduct of unauthorized data encryption, Sodinokibi ransomware appends a random, victim-specific alphanumeric extension to each scrambled file so that it looks something like this: Test.xlsx.t8rw1h170n. In this theoretic incursion, the ransom note is going to be named t8rw1h170n-HOW-TO-DECRYPT.txt or t8rw1h170n-readme.txt. It coerces the victim to visit a personal Tor page listing the size of the ransom (usually $2,500 per system and doubling after a week of nonpayment) along with the Bitcoin wallet to send it to.

This ransomware reportedly shares code similarities with GandCrab, a widespread strain whose complete evanescence from the extortion landscape almost co-occurred with the discovery of Sodinokibi. Furthermore, the same affiliate groups are known to be involved in the distribution waves. These facts prove close ties between the two ransom Trojan families. As of October 2019, Sodinokibi has a host of high-profile victims, with overall earnings of its operators being in the millions of dollars.

Can you remove ransomware?

Ransomware is a rare case in the general malware paradigm where removal of the perpetrating program tends to be a trifle. The reason stems from the very essence of this cybercrime phenomenon. The operators of these campaigns don’t need their infections to stay inside the breached systems any longer than it takes to perform full encryption of the victims’ important data and drop ransom notes. Once the crypto shenanigans have been implemented, the presence of ransomware on a host is redundant. This explains why some strains are programmed to terminate themselves as soon as files are locked down

With that said, those infected shouldn’t experience any significant stumling blocks in removing ransomware code itself. Most AV tools with a solid reputation will cope with the task, not to mention the solutions with dedicated anti-ransomware modules on board. Sodinokibi is hardly different from the rest in this context and can be eliminated using effective security suites.

Things get a bit more complex in case the attackers already have elevated privileges in the compromised computer network – in fact, this is a common aftermath of an RDP hack scenario. This predicament requires some extra tidying up of the IT environment and closing of the existing security holes. Furthermore, if Sodinokibi payload was originally accompanied by data harvesting and exfiltration viruses, these need to be additionally detected and removed.

Will reinstalling Windows remove ransomware?

Most of the time, it will. Normally, reinstalling Windows presupposes that you format drive C, or whatever the name of the operating system allocated partition is. This is where most ransom Trojans stack their components, including the payload and executables (binaries) that manage the entirety of malicious processes.

Trial and error is probably a reasonable tactic when it comes to remedying a ransomware-stricken machine or network. It’s best to start with the least impactful cleaning technique. Run a scan with an effective antimalware program and see if it detects the culprit. If it does, have it remove the ransomware and see how things go. If all is well, this might be a sufficient amount of repair effort. Otherwise, a more thoroughgoing level of troubleshooting makes sense, and that’s where reinstalling Windows gets on your to-do list. Don’t forget to back up all important files, including scrambled ones, before you proceed. In case the threat perseveres even with fresh Windows installation, see previous answer to learn your remaining options.

Will reformatting get rid of ransomware?

Yes, reformatting your hard drive is a measure no known ransomware (including Sodinokibi) can survive. In fact, formatting the disk partition where your OS is installed should be enough in most cases, given that most ransom Trojans are dropped onto and executed from the system drive.

On a side note, some computer viruses are more stubborn and evasive than that, affecting the boot sector of a host machine and overcoming a commonplace reformat. There haven’t been any reports about such persistent samples of ransomware, but this is theoretically possible. An extra measure recommended by some analysts in this situation is to run ‘fdisk /mbr’ command after wiping the hard drive so that the machine’s master boot record is fully rewritten and recreated. Be advised that it takes a great deal of technical skills to go that route.

It is recommended to try regular cleanup methods first, though. System Restore is a good choice. If the ransomware keeps re-infecting the system, then a decision to reformat your drive might be the right train of thought. Most importantly, be sure to back up all the data, including the encrypted files, to cloud storage or blank non-infected media (another hard disk, USB, etc.) in advance.

Does antivirus stop ransomware?

Relying on antivirus alone to prevent ransomware infections is not recommended. Even top-notch security solutions featuring real-time protection, hourly virus definition updates, heuristic analysis, and AI modules might miss an attack orchestrated by a competent, well-motivated adversary.

To their credit, industry-leading AV suites will automatically catch mainstream, catalogued ransomware threats and stop these onslaughts in their tracks while notifying the user. However, this layer of defense may not be enough to thwart menaces like Sodinokibi. The crooks behind these sophisticated infections are known to think outside the box, coming up with new attack mechanisms all the time. RDP compromise can easily fly below the radar of some antiviruses, and so can breaches based on exploit kits as well as spam carrying malicious attachments cloaked by multiple levels of payload obfuscation.

Overall, security software is an important element of the contemporary anti-ransomware logic, but it should work alongside additional prevention and risk mitigation techniques such as network compartmentalization and flawless data backup practices. Staff security awareness training for organizations and constant work on refining the online hygiene for home users – these are also among the critical prerequisites of avoiding ransomware these days.


Please enter your comment!
Please enter your name here