What is “Sodinokibi?”
To gain access to the target’s computer, Sodinokibi ransomware exploits an Oracle WebLogic flaw (CVE-2019-27375) Once the malware is installed, it attempts to execute itself with elevated legal rights to gain access to all files and other resources on the system without any constraint.
Sodinokibi tries to avoid contaminating computer systems in Romania, Russia, and Ukraine. To encrypt individuals’ data, this ransomware pressure uses AES and also Salsa20 HTML3. AES is used to encrypt session keys and data sent to the control server. Individual data are encrypted with Salsa20 security.
To create and proliferate encryption keys, Sodinokibi uses an Elliptic-curve Diffie-Hellman critical exchange algorithm.
It erases all documents in the backup folder once it has infiltrated a device.
To regain access to encrypted documents, ransomware requires 0.32806964 BTC ($2500). They state that the ransomware demands this amount be paid within 4 days. Otherwise, the ransom demand will increase.
Here’s a summary of the Sodinokibi:
| Ransomware family | Ravil ransomware |
| Extension | Random |
| Ransomware note | http://readme.txt |
| Ransom | Prices in Bitcoins: From $2500 to $5000 |
| Detection HTML4 | Ransom.Phobos, Ransomware.Sodinokibi, Trojan.Multi |
| Signs | You can’t open most files, including photos, videos, and documents. |
| Fix Tool | GridinSoft Anti Malware
Check if your system has been affected by Sodinokibi ransomware |
Ravil/Sodinokibi version 2.0 adds a new text to wallpaper:
Wallpaper Revel
This payment request is to get files back using the decryption key.
These are the frightening warnings in the alert requesting users pay a ransom to decrypt encrypted data
Sodinokibi uses AES-256 as its cryptography algorithm. If your documents were encrypted using a particular decryption key that is unique to Sodinokibi, then it’s completely secure and there will be no copies. It is not possible to retrieve the information without having the key.
If Sodinokibi was working online, it would be impossible to access the AES256 key. It is kept on a remote server that belongs to the criminals who promoted the Sodinokibi virus.
Pay no for Sodinokibi
Please use backups or the Decrypter tool to ensure you have enough data.
The _readme.txt file indicates that computer owners must contact Sodinokibi representatives within 72 hours from the time files were encrypted. Users will receive a 50% discount if they contact Sodinokibi representatives within 72 hours. This will reduce the ransom amount to $490. But, you should not pay the ransom.
These fraudsters should not be contacted and you should not pay. You can recover your data by using only backups or the Decrypter Tool.
All of these viruses are unique in that they use a similar set to generate the unique decryption keys to retrieve the ciphered data.
You can’t manually recover the ransomware ciphered data unless it is still in development. You can prevent data loss by regularly backing up your important files.
Even if you have backups of important information, these should be kept in a designated location and not connected to your main computer.
The backup could be saved on a USB flash drive or another external hard drive storage. You may also consider using online (cloud) storage to store your information.
It is important to note that backup data stored on a common device may be similarly encrypted as other data.
It is not a good idea to locate the backup on your main computer.
How did I get infected?
Sodinokibi offers many ways to integrate your system. It doesn’t matter which concrete method was used in your case.
Sodinokibi ransomware attack after phishing success.
These are just a few of the ways it can be injected into your computer.
- Hidden installation is done alongside other applications, particularly utilities that are freeware or shareware.
- Spam emails contain a dubious link that leads to the Sodinokibi Installer
- Online hosting services for free
- For downloading pirated software, you can use illegal peer-to-peer (P2P), resources.
In some cases, the Sodinokibi virus was masqueraded as a legitimate tool. For example, messages asking for browser updates or installing unwanted software were disguised. Many online fraudsters will attempt to make you install the Sodinokibi ransomware by making you participate directly in the process.
The fake update alert won’t indicate that you intend to inject the Sodinokibi ransomware. This will be hidden under an alert that mentions that you need to update Adobe Flash Player or any other dubious program.
Cracked apps are also a source of the problem. P2P is illegal and can lead to the injection of malware such as the Sodinokibi ransomware.
What can you do to prevent the Sodinokibi ransomware from being injected into your computer? Although there is no way to protect your computer from being damaged, I have some tips to help you avoid the Sodinokibi intrusion. Be cautious when installing any free software today.
Always read the instructions and other information provided by the installers. Do not open suspicious email attachments. Do not open attachments from unknown addresses. Your current security program should be maintained.
The malware doesn’t speak out about itself. It will not appear in your list of available programs. It will however be hidden by a malicious process that runs in the background and starts from the moment you launch your computer.