Sodinokibi Ransomware


Graphic for Tetra Defense Ransomware 101: Sodinokibi

What is Sodinokibi Ransomware?

First reported in April 2019, Sodinokibi is malware that maliciously targets enterprise organizations, and more specifically, Managed Service Providers (MSPs). Sodinokibi, also known as Sodin and REvil, is part of a new wave of highly sophisticated ransomware designed to cause sizeable damage to IT infrastructure, forcing victims to settle the ransom quickly.

The first iterations of Sodinokibi were designed to exploit an Oracle WebLogic vulnerability. WebLogic is a very popular Java-based application middleware that is extensively used by organizations as an application and web server platform. Any internet-facing, unpatched Oracle WebLogic servers running versions and were exploitable. Even more concerning, the remote code could be executed without any level of authentication.

Oracle and Microsoft had patched the exploit in September 2018 (KB4457138), but running maintenance on production middleware servers is notoriously tricky, leaving numerous servers vulnerable to exploitation over a network without the need for a username or password. Early outbreaks targeted organizations in Asia, although more recently, Sodinokibi has spread to European Union member states and the United States.

The primary targets of Sodinokibi are Managed Service Providers (MSPs).  Once breached, the threat actor’s intention is to proliferate the ransomware to all the MSP customers using the MSP’s legitimate MSP administration tools. High profile victims include the ConnectWise/Kaseya MSP, Webroot Cloud Management consoles, and Go2Assist.

How Does Sodinokibi Ransomware Work?

The first versions of Sodinokibi were distributed through a mass phishing campaign targeted at enterprise organizations. If the link within the phishing email was activated, an initial payload was downloaded to the victim’s computer. The payload was very sophisticated and could bypass antivirus detection. In research published by Cybereason, only 1 out of 59 antivirus products successfully detected the initial payload.

The ability to bypass antivirus tools and to leverage MSP administration tools makes Sodinokibi an extremely dangerous form of ransomware. In most circumstances, Sodinokibi was able to bypass antivirus tools, the first line of defense of enterprise infrastructure, and use the provider’s tools to exploit all downstream customers. Later versions of Sodinokibi were also able to exploit Remote Desktop Services to access domain controllers and custom control panels to push the ransomware out in bulk to endpoint computers belonging to customers of affected MSPs.

After the initial payload is downloaded, Sodinokibi ransomware harvests user credentials.  The payload will then unencrypt itself using an RC4 cipher and then scans for Windows patch KB4457138.  If the Windows patch is not present, the exploit continues.  Several applications are then terminated, such as SQL server and VSS shadow copies, to increase the impact of the attack by allowing encryption of database files and preventing a Windows system restore rollback.

Next, a complex encryption process follows using multiple keys, which are, in turn, encrypted and embedded into the malware. All files on the server are scanned, including local and shared disks. Sodinokibi ignores system files, and only user files are targeted for the encryption.

How Do I Prevent Sodinokibi Ransomware?

In protecting against Sodinokibi, it is essential to adhere to several security best practices that can help keep you safeguarded. As part of a consultation that includes Tetra Defense’s cybersecurity services, we typically recommend that our clients follow strict business practices to help prevent Sodinokibi from infecting your infrastructure.

Because Sodinokibi is targeted primarily at Managed Service Providers, if your organization uses an MSP to manage your network, much of the responsibility for securing and updating the network management tools they use will be their responsibility.  As an informed customer, you have the right to ask them what actions they have taken to harden their management tools to protect their customers.

  • Multi-Factor Authentication (MFA) – MFA tools significantly reduce the risk of infection from malware. Despite the Sodinokibi malware exploit working with no username or password, any system protected with MFA will automatically ask for an authentication key by default, significantly reducing the risk of the ransomware working.
  • Ditch End-of-Life operating systems – Running a modern, manufacturer-supported, and patched operating system is fundamental to cybersecurity. OS licensing can be expensive, but it is critical to have supported operating systems that entitle you to security updates and patches. Sodinokibi targets security holes that have been fixed in more recent Windows security rollouts.
  • Patch public-facing software aggressively – Any system that interfaces directly with the public internet should be patched religiously. Sodinokibi exploited ConnectWise/Kaseya MSP, but ConnectWise fixed the flaw in 2017. However, very few customers had updated their toolsets due to the complexity of updating middleware servers.
  • Application Updates – Despite Sodinokibi disabling antivirus upon infection, it is paramount to ensure antivirus is installed and updated daily to guarantee the very latest threats.
  • Penetration Testing and Social Engineering – This is a technique of testing external and internal computer infrastructure against all known vulnerabilities. Pen testing and vulnerability scanning will generate a list of recommended fixes needed to harden the infrastructure. Social engineering refers to testing employees’ susceptibility to ransomware attacks.
  • Training – You can never underestimate the importance of training all employees about the risks of ransomware. Businesses can implement any number of technical security solutions, but an employee may inadvertently invite a cybersecurity threat into a secured network. Training employees on phishing, fraud, and the latest cybersecurity trends, as well as conducting social engineering tests on them, is very important.
  • Backups, backups, backups! – If the worst does happen, and you are impacted by ransomware, often the quickest resolution is to restore from backup. Decrypting files is usually impossible without paying the ransom, and even then, success is never guaranteed. Regular offsite backups should be completed on daily, weekly, monthly rotations to reduce the likelihood of the backups also being maliciously encrypted.
  • Disaster Recovery – We highly recommend that organizations create a disaster recovery plan and test for total outages caused by ransomware. Disaster recovery strategies might include high availability DR set up in a secondary site with a cloud partner.

How Do I Remove Sodinokibi Ransomware?

The Sodinokibi ransomware is a sophisticated malware that takes many steps to protect itself during the infection process. The public and private keys are split and encrypted at least twice, and the payload itself is Base64-encoded, making it impossible to read.

As part of the encryption process, the malware unencrypts itself and generates unique values specific to your system properties. The architecture of the malware makes it impossible to decrypt the data by any means other than using the tool provided upon payment of the ransom.

Example of Sodinokibi Ransom Note

—=== Welcome. Again. ===—

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website: hxxxp:// aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd [dot] onion/{UID}

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:

  1. a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
    b) Open our secondary website: hxxxp:// decryptor [dot] top/{UID}

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!

ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Source information can be found here.

Check out some related content on our blog: