Sodinokibi, also known as REvil, was one of the most persistent and dangerous ransomware variants throughout 2020 and 2021, having demanded ransoms as high as $70 million. It’s understandable that the cybersecurity community breathed a sigh of relief when Sodinokibi abruptly disappeared in July. Alas, just a few months later, in September of 2021, the gang reappeared and began striking new targets. On a positive note, however, a new Sodinokibi decrypt option appeared.
There’s much speculation about what exactly happened. Discussions on online hacking forums point to the possible arrest of one of the leaders of the gang. If this is indeed what happened, it seems it might have enabled law enforcement to gain access to the gang’s servers. It appears that the servers abruptly went offline, leaving the remaining gang members scrambling to recover their operation.
It’s appears that law enforcement gained access to the Sodinokibi source code, and shared this information with BitDefender, a cybersecurity firm based in Romania. BitDefender then released the free tool to the public.
Free Sodinokibi Decrypt Tool
The decryptor can recover any files encrypted by Sodinokibi/REvil before July 13th, when the server originally went down. BitDefender has made the Sodinokibi decrypt tool available on their website here. BitDefender also released a detailed guide for using the decryption tool.
They commented that the investigation is ongoing, but they released the tool as quickly as possible. This is a proactive move to help victims who have been affected by the virus. They also noted that the gang is back online, and urged organizations worldwide to stay aware of the threat.
It’s possible that the gang is operating at a reduced capacity after losing a key member of its leadership, but heightened vigilance is still necessary.
Lessons for Future Ransomware Attacks
It’s always better to avoid paying ransoms, because paying further fuels the ransomware crisis. This is not always feasible, but for those who don’t give in to the attackers demands, there’s a lesson in this story. It can be worth it to hold on to encrypted data from an attack, because it could be possible to recover it later.
On the other hand, it’s increasingly common for ransomware gangs to threaten to publish data. It’s not the ideal method of data recovery, but it could be a possibility in some cases. Many hackers have sites set up specifically for making data available to the public.
This story is a good illustration of the constructive role that law enforcement can play in countering ransomware. We can only hope that we will see more proactive actions like this one that mitigate the harmful effects of ransomware.
If you get hit by ransomware, don’t hesitate to reach out to us for a free consultation.