Sodinokibi, also known as REvil, Bluebackground, or Sodin, is a ransomware that uses wide range of tactics to distribute the ransomware and earn a commission. It is aimed at English-speaking users. It also exploited vulnerabilities in remote services such as Oracle WebLogic (CVE-2019-2725). People believed that it had relations with GandCrab. According to Intezer Analyze, it uses code of Pony, RedOctober, and Vidar.

Sodinokibi has 41 active affiliates. Each affiliate's version of Sodinokibi gets customized with a unique ID so that they can receive payments. Some of the affiliates are ones that were previously in GandCrab such as Lalartu and -TMT-.

Sodinokibi affiliates keep 60 percent of every ransom payment, rising to 70 percent after they book three successful ransom payments. The remaining 30 or 40 percent gets remitted to the actor or actors behind Sodinokibi. With the average ransom amount paid being $2,500 to $5,000, the Sodinokibi actor would typically receive $700 to $1,500 every time a victim pays a ransom.

In mid-May, a Sodinokibi advertiser using the forum name UNKN deposited over $100,000 on underground forums to show that they meant serious business.

Advertisements for the new file-encrypting malware started in early July on at least two forums. UNKN said that they were looking to expand their activity and that it was a private operation with "limited number of seats" available for experienced individuals.

UNKN offered affiliates 60% of the payments at the beginning and a 10% increase after the first three transactions. The actor also made it clear that they would not be working with English-speaking affiliates as part of this private program.

On August 16th, 2019, Sodinokibi hit 22 local administrations in Texas and demanded a collective ransom of $2.5 million. It compromised multiple MSPs (managed service providers) spreading the malware to their customers.

On August 29th, 2019, Sodinokibi hit a remote data backup service and encrypted files from dental practices in the U.S. 

On December 9th, 2019, Sodinokibi attacked another IT vendor serving hundreds of dentistry practices, infecting clients’ computers by exploiting a vulnerable remote access tool. 

On December 12th, 2019, UNKN states that a new "division" has been created for large operations. He also announced that they will use stolen files and data as leverage to get victims to pay ransoms. 

They claim that a recent operation from this group is the attack against the CyrusOne data center that was reported last week. As part of this operation, UNKN claims that they have stolen files from the company before encrypting their network.

Sodinokibi goes on to say that if a company does not pay the ransom, the ransomware actors will publicly release the stolen data or sell it to competitors. It is in their opinion that this would be more costly to the victim than paying the ransom.

On December 25th, 2019, it was discovered that the developers changed their ransom note over the holidays to include a new message wishing the victims a "Merry Christmas and Happy Holidays".

On December 31st, 2019, it attacked Travelex. This prompted the company to take offline all its computer systems.

As a result, customers could no longer use the website or the app for transactions or make payments using credit or debit cards at its more than 1,500 stores across the world. Hundreds of customer complaints came pouring in via social media since the outage began.

In a conversation with BleepingComputer, the Sodinokibi Ransomware actors state that they were demanding a $3 million ransom or they would release the data containing "DOB SSN CC and other". Travelex stated that there is no evidence that any data was stolen.

On January 9th, 2020, Temple Har Shalom in Warren, New Jersey had their network breached by Sodinokibi which encrypted numerous computers on the network. In an email seen by BleepingComputer, Temple Har Shalom informed their congregation that they discovered the ransomware attack on January 9th after staff had trouble connecting to the Internet.

After checking their servers, they found that the Temple's files were encrypted and a ransom note was left behind. Other computers on the network had been encrypted as well.

On January 10th, 2020, Albany International Airport's staff announced that the New York airport's administrative servers were hit by Sodinokibi Ransomware following a cyberattack that took place over Christmas. Airport operations were not impacted by the ransomware attack and customers' financial or personal information was not accessed by the attackers according to a statement from airport officials per WNYT-TV.

No airline or TSA servers were affected in the incident, with airport officials saying that the vast majority of encrypted files being administrative documents and archived data. The Albany County Airport Authority alerted the FBI and the New York State Cyber Command as soon as the attack was discovered, and also hired the services of ABS Solutions to help with the investigation.

On January 23rd, 2020, Sodinokibi threatened to publish data stolen from GEDIA Automotive Group, a German automotive supplier with production plants in Germany, China, Hungary, India, Mexico, Poland, Hungary, Spain, and the USA. The group published a Microsoft Excel spreadsheet containing an AdRecon report with information on an Active Directory environment.


Upon execution, Sodinokibi will create a mutex with a hardcoded name Global\206D87E0-0E60-DF25-DD8F-8E4E7D1E3BF0 and decrypt an embedded configuration.

If the exp parameter in the configuration is set, the malware will attempt to exploit CVE-2018-8453 in order to gain SYSTEM privileges.

If not configured to execute the exploit, or if the attempt is unsuccessful, it will instead try to re-run itself as an administrator.

Sodinokibi gathers some basic system information and saves it to the registry together with the generated encryption parameters. If the dbg option is not set in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems which use one of the following language codes.



Sodinokibi affiliates conducted these attacks by reportedly accessing the networks via Remote Desktop Services and then utilizing the MSP's management console to push ransomware installers to all of the end points that they manage.

It also pretends to be a "New Booking" on Attached to this email is a malicious Word document with names like " - 1571165841.doc" that asks the user to "Enable Content" in order to access the booking information.

Once the user enabled the content, though, embedded macros will download Sodinokibi from a remote site and execute it.

Sodinokibi affiliates are also targeting sites that host downloads in order to replace legitimate software with the ransomware installer. According to TG Soft, a distributor for WinRar in Italy was hacked to distribute the ransomware installer.

On June 24th, 2019, it was distributed through malvertising that redirects to the RIG exploit kit. With the use of exploit kits, Sodinokibi is now using a wide stream of vectors to infect victims with the ransomware. It is done through advertisements on the PopCash ad network that redirected users to the exploit kit based on certain conditions.

On July 24th, 2019, it was distributed by hacker posing as German BSI. By using "Warnmeldung kompromittierter Benutzerdaten" as the subject line — which translates to "Warning message of compromised user data" — the attackers try to trick their targets into reacting to the bait out of curiosity and to open the infected attachments without giving it a second thought.

On September 26th, 2019, it was distributed through a new spam campaign that is targeting Chinese recipients. It pretends to be an email from DHL stating that the delivery of a package has been delayed due to an incorrect customs declaration.

It then proceeds to inform the recipient that they must download the enclosed "Customs documents", fill them out correctly, and send it back in order for the package to be properly delivered.

If a user downloads the attached 海关文件.zip file and extracts it, they will find a file named "DHL海关申报单.doc.exe", which is translated to "DHL Customs Declaration Form.doc.exe".

On November 11th, 2019, it is distributed by a new malvertising campaign being used on low quality web games and blogs is redirecting Asian victims to the RIG exploit kit. It will attempt to exploit Flash vulnerabilities in the browser. If successful, a user will see Internet Explorer begin to crash and various alerts from the Windows Script Host. This is because the exploit kit will execute a JScript command that downloads an obfuscated VBScript script.


When Sodinokibi is executed, it will run the following commands to disable Windows startup repair and to delete shadow volume copies:

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Sodinokibi encrypts all of the user's files. The name of the text file depends on the extension added to the encrypted file. For example, if the extension is ".686l0tek69" (and the encrypted file is renamed from, for example, "1.jpg" to "1.jpg.686l0tek69"), the ransom message filename will be called "686l0tek69-HOW-TO-DECRYPT.txt".


Sodinokibi also changes the wallpaper.


The wallpaper Sodinokibi changes it to.

The ransom message explains that people who have computers infected with this ransomware can decrypt (recover) their files only by following the instructions provided by the cyber criminals who developed it. To decrypt data, users must visit the websites using one of the two links provided. One should be opened using the Tor browser, and the other with another browser such as Google Chrome, Mozilla Firefox, Opera, Internet Explorer, or Microsoft Edge.

It is stated that the link/website created for browsers other than Tor could be blocked by the browser, and thus they advise users to use the first website link. In any case, once opened, the website asks users to copy and paste the key provided in the ransom message (.txt file) and to enter the extension name (which is provided in the same text file).

It then opens another page informing victims that they have two days to pay a ransom of $2500. Later, the cost is doubled to $5000. The ransom must be transferred to the Bitcoin wallet address (paid in cryptocurrency) provided. According to cyber criminals, when payment is made, victims should receive three confirmations. They then supposedly reload the website which will create a download link for a decryption tool.

Text presented in Sodinokibi ransomware text file (random-string-HOW-TO-DECRYPT.txt):

--=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you 
computer has expansion 686l0tek69.
By the way, everything is possible to recover (restore), but you need to follow our 
instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except 
getting benefits. If we do not do our work and liabilities - nobody will not cooperate 
with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can 
decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose 
your time and data, cause just we have the private key. In practise - time is much 
more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
  a) Download and install TOR browser from this site: hxxps://
  b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/913AED0B5FE1497D

2) If TOR blocked in your country, try to use VPN! But you can use our secondary 
website. For this:
  a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
  b) Open our secondary website:

Warning: secondary website can be blocked, thats why first variant much better and 
more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring 
your data or antivirus solutions - its may entail damge of the private key and, as result, 
The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the 
best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Text presented in a website opened with Tor (second page):

Your computer have been infected!
Your documents, photos, databases and other important files encrypted
To decrypt your files you need to buy our special software - 686l0tek69-Decryptor
You can do it right now. Follow the instructions below. But remember that you do not have much time
686l0tek69-Decryptor costs

You have 2 days, 23:59:17
* If you do not pay on time, the price will be doubled
* Time ends on May 3, 10:44:08
Current price
After time ends
0.47528863 btc
ò 2,500 USD
0.95057726 btc
ò 5,000 USD

Status: No access to download 686l0tek69-Decryptor.

BTC receiving address: 324VH5nPXCKCUGAMAn23nogm2Z6ph97evh
Instructions Chat support
How to buy 686l0tek69-Decryptor?

Create a Bitcoin Wallet (we recommend
Buy necessary amount of Bitcoins. Current price for buying is 0.47528863 btc
Send 0.47528863 btc to the following Bitcoin address:

* This receiving address was created for you, to identify your transactions
Wait for 3 confirmations
Reload current page after, and get a link to download 686l0tek69-Decryptor


Upload your file for test 686l0tek69-Decryptor.

* This file should be an encrypted image. Example



Sodinokibi is the name malware researchers call the virus, however, it was shown that the developers have not yet provided an official name.

Text in the chat with the cyber criminals:

Researcher Tomas: Where are you from?
Researcher Tomas: What is the name of your ransomware?
Cyber criminal: We don't have name, don't write here.
Researcher Tomas: Researchers are calling this - "Sodinokibi" ransomware. That's not 
a very nice name, maybe you like to use something else?
Cyber criminal: show me
Researcher Tomas: hxxps://
Researcher Tomas: You could think of some cooler name than "Sodinokibi".
Cyber criminal: Hm, why this name?
Researcher Tomas: I would guess this is from an executable file name 
Researcher Tomas: What name would you like to use?
Cyber criminal: we don't have name, but give to us few days to think about it
Researcher Tomas: ok, great.

Later on in April, the creators named it REvil.


New Sodinokibi Ransomware assigns a personal extension!Demonstration of attack video review

New Sodinokibi Ransomware assigns a personal extension!Demonstration of attack video review.

Sodinokibi demonstration by GrujaRS

How to remove Sodinokibi Ransomware

How to remove Sodinokibi Ransomware

Sodinokibi aka REvil connections to GandCrab — Research Saturday

Sodinokibi aka REvil connections to GandCrab — Research Saturday

Community content is available under CC-BY-SA unless otherwise noted.