FANDOM


Sodinokibi, also known as REvil or Sodin, is a ransomware that uses wide range of tactics to distribute the ransomware and earn a commission. It is aimed at English-speaking users. People believed that it had relations with GandCrab. According to Intezer Analyze, it uses code of Pony, RedOctober, and Vidar.

Sodinokibi has 41 active affiliates. Each affiliate's version of Sodinokibi gets customized with a unique ID so that they can receive payments. Some of the affiliates are ones that were previously in GandCrab such as Lalartu and -TMT-.

Sodinokibi affiliates keep 60 percent of every ransom payment, rising to 70 percent after they book three successful ransom payments. The remaining 30 or 40 percent gets remitted to the actor or actors behind Sodinokibi. With the average ransom amount paid being $2,500 to $5,000, the Sodinokibi actor would typically receive $700 to $1,500 every time a victim pays a ransom.

In mid-May, a Sodinokibi advertiser using the forum name UNKN deposited over $100,000 on underground forums to show that they meant serious business.

Advertisements for the new file-encrypting malware started in early July on at least two forums. UNKN said that they were looking to expand their activity and that it was a private operation with "limited number of seats" available for experienced individuals.

UNKN offered affiliates 60% of the payments at the beginning and a 10% increase after the first three transactions. The actor also made it clear that they would not be working with English-speaking affiliates as part of this private program.

On August 16th, 2019, Sodinokibi hit 22 local administrations in Texas and demanded a collective ransom of $2.5 million. It compromised multiple MSPs (managed service providers) spreading the malware to their customers.

On August 29th, 2019, Sodinokibi hit a remote data backup service and encrypted files from dental practices in the U.S. 

Payload

Transmission

Sodinokibi affiliates conducted these attacks by reportedly accessing the networks via Remote Desktop Services and then utilizing the MSP's management console to push ransomware installers to all of the end points that they manage.

It also pretends to be a "New Booking" on Booking.com. Attached to this email is a malicious Word document with names like "Booking.com - 1571165841.doc" that asks the user to "Enable Content" in order to access the booking information.

Once the user enabled the content, though, embedded macros will download Sodinokibi from a remote site and execute it.

Sodinokibi affiliates are also targeting sites that host downloads in order to replace legitimate software with the ransomware installer. According to TG Soft, a distributor for WinRar in Italy was hacked to distribute the ransomware installer.

On June 24th, 2019, it was distributed through malvertising that redirects to the RIG exploit kit. With the use of exploit kits, Sodinokibi is now using a wide stream of vectors to infect victims with the ransomware. It is done through advertisements on the PopCash ad network that redirected users to the exploit kit based on certain conditions.

On July 24th, 2019, it was distributed by hacker posing as German BSI. By using "Warnmeldung kompromittierter Benutzerdaten" as the subject line — which translates to "Warning message of compromised user data" — the attackers try to trick their targets into reacting to the bait out of curiosity and to open the infected attachments without giving it a second thought.

On September 26th, 2019, it was distributed through a new spam campaign that is targeting Chinese recipients. It pretends to be an email from DHL stating that the delivery of a package has been delayed due to an incorrect customs declaration.

It then proceeds to inform the recipient that they must download the enclosed "Customs documents", fill them out correctly, and send it back in order for the package to be properly delivered.

If a user downloads the attached 海关文件.zip file and extracts it, they will find a file named "DHL海关申报单.doc.exe", which is translated to "DHL Customs Declaration Form.doc.exe".

On November 11th, 2019, it is distributed by a new malvertising campaign being used on low quality web games and blogs is redirecting Asian victims to the RIG exploit kit. It will attempt to exploit Flash vulnerabilities in the browser. If successful, a user will see Internet Explorer begin to crash and various alerts from the Windows Script Host. This is because the exploit kit will execute a JScript command that downloads an obfuscated VBScript script.

Infection

When Sodinokibi is executed, it will run the following commands to disable Windows startup repair and to delete shadow volume copies:

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Sodinokibi encrypts all of the user's files. The name of the text file depends on the extension added to the encrypted file. For example, if the extension is ".686l0tek69" (and the encrypted file is renamed from, for example, "1.jpg" to "1.jpg.686l0tek69"), the ransom message filename will be called "686l0tek69-HOW-TO-DECRYPT.txt".

Sodinokibi-folder

Sodinokibi also changes the wallpaper.

Sodinokibi-wallpaper

The wallpaper Sodinokibi changes it to.

The ransom message explains that people who have computers infected with this ransomware can decrypt (recover) their files only by following the instructions provided by the cyber criminals who developed it. To decrypt data, users must visit the websites using one of the two links provided. One should be opened using the Tor browser, and the other with another browser such as Google Chrome, Mozilla Firefox, Opera, Internet Explorer, or Microsoft Edge.

It is stated that the link/website created for browsers other than Tor could be blocked by the browser, and thus they advise users to use the first website link. In any case, once opened, the website asks users to copy and paste the key provided in the ransom message (.txt file) and to enter the extension name (which is provided in the same text file).

It then opens another page informing victims that they have two days to pay a ransom of $2500. Later, the cost is doubled to $5000. The ransom must be transferred to the Bitcoin wallet address (paid in cryptocurrency) provided. According to cyber criminals, when payment is made, victims should receive three confirmations. They then supposedly reload the website which will create a download link for a decryption tool.

Text presented in Sodinokibi ransomware text file (random-string-HOW-TO-DECRYPT.txt):

--=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you 
computer has expansion 686l0tek69.
By the way, everything is possible to recover (restore), but you need to follow our 
instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except 
getting benefits. If we do not do our work and liabilities - nobody will not cooperate 
with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can 
decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose 
your time and data, cause just we have the private key. In practise - time is much 
more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
  a) Download and install TOR browser from this site: hxxps://torproject.org/
  b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/913AED0B5FE1497D

2) If TOR blocked in your country, try to use VPN! But you can use our secondary 
website. For this:
  a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
  b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D

Warning: secondary website can be blocked, thats why first variant much better and 
more available.

When you open our website, put the following data in the input form:
Key:

-

Extension name:

686l0tek69

-----------------------------------------------------------------------------------------

!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring 
your data or antivirus solutions - its may entail damge of the private key and, as result, 
The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the 
best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Sodinokibi-homepage

Text presented in a website opened with Tor (second page):

Your computer have been infected!
Your documents, photos, databases and other important files encrypted
To decrypt your files you need to buy our special software - 686l0tek69-Decryptor
You can do it right now. Follow the instructions below. But remember that you do not have much time
686l0tek69-Decryptor costs

You have 2 days, 23:59:17
* If you do not pay on time, the price will be doubled
* Time ends on May 3, 10:44:08
Current price
After time ends
0.47528863 btc
ò 2,500 USD
0.95057726 btc
ò 5,000 USD

Status: No access to download 686l0tek69-Decryptor.

BTC receiving address: 324VH5nPXCKCUGAMAn23nogm2Z6ph97evh
Instructions Chat support
How to buy 686l0tek69-Decryptor?

Create a Bitcoin Wallet (we recommend Blockchain.info)
Buy necessary amount of Bitcoins. Current price for buying is 0.47528863 btc
Send 0.47528863 btc to the following Bitcoin address:
324VH5nPXCKCUGAMAn23nogm2Z6ph97evh

* This receiving address was created for you, to identify your transactions
Wait for 3 confirmations
Reload current page after, and get a link to download 686l0tek69-Decryptor

Guarantees?

Upload your file for test 686l0tek69-Decryptor.

* This file should be an encrypted image. Example

your-file-name.jpg.686l0tek69
your-file-name.png.686l0tek69
your-file-name.gif.686l0tek69
Sodinokibi-web1
Sodinokibi-web2

Name

Sodinokibi is the name malware researchers call the virus, however, it was shown that the developers have not yet provided an official name.

Text in the chat with the cyber criminals:

Researcher Tomas: Where are you from?
Researcher Tomas: What is the name of your ransomware?
Cyber criminal: We don't have name, don't write here.
Researcher Tomas: Researchers are calling this - "Sodinokibi" ransomware. That's not 
a very nice name, maybe you like to use something else?
Cyber criminal: show me
Researcher Tomas: hxxps://www.youtube.com/watch?v=MlfYEqAjXUE&feature=youtu.be
Researcher Tomas: You could think of some cooler name than "Sodinokibi".
Cyber criminal: Hm, why this name?
Researcher Tomas: I would guess this is from an executable file name 
(hxxps://twitter.com/GrujaRS/status/1122051853657739265/photo/1)
Researcher Tomas: What name would you like to use?
Cyber criminal: we don't have name, but give to us few days to think about it
Researcher Tomas: ok, great.

Later on in April, the creators named it REvil.

Media

New Sodinokibi Ransomware assigns a personal extension!Demonstration of attack video review

New Sodinokibi Ransomware assigns a personal extension!Demonstration of attack video review.

Sodinokibi demonstration by GrujaRS

How to remove Sodinokibi Ransomware

How to remove Sodinokibi Ransomware

Sodinokibi aka REvil connections to GandCrab — Research Saturday

Sodinokibi aka REvil connections to GandCrab — Research Saturday

Community content is available under CC-BY-SA unless otherwise noted.