Did Sodinokibi ransomware infect your network? If so, it may be an emergency, but don’t panic. We are here to provide you with all the resources you need about Sodinokibi decryption, recovery, removal and statistics. Go through our detailed ransomware recovery process or get a FREE quote now.
Don’t wait before it causes more damage to your network.
Sodinokibi / REvil Ransomware are Trojans that encrypt your entire network or specific machines of value. Upon notice of an attack, you are then given instructions of paying a specific amount in ransom to decrypt your files.
First identified circa 17th April, 2019, the gang behind this virus is allegedly the GOLD SOUTHFIELD group, which deploys Ransomware-as-service model to distribute exploit kits, attack unprotected RDP servers, and install backdoor payloads. Some researchers suspect that REvil is closely linked with the GandCrab variant of ransomware.
Compared to other ransomware variants, the ransom amounts demanded by Sodinokibi attackers can vary largely. The cyber criminals use a dark web browser known as TOR to automate their operations and manage affiliates.
But that doesn’t mean that these hackers do not have the gumption to demand a hefty extortion amount based on organizational size. The average Sodinokibi ransom amount is somewhere between $2,500–$260,000, with some victims reporting demands well into the millions of dollars. But it isn’t limited to the ransom demand.
Victims are faced with unexpected costs in buying and transferring bitcoins, mostly the 10% exchange fees applying to the quick buy methods of Paypal and/or Credit Cards. Along with potential threats to have their personal and business information leaked or sold on the internet if demands are not met.
The Sodinokibi ransomware downtime is a relatively shorter than normal ransomware attacks, since most attackers use automated TOR sites for accepting payments and expediting the process.
Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.
You need to get your systems back up and hit the ground running as soon as possible. We’ll ensure minimum downtime once you let experts like BeforeCrypt to manage your situation and recover data.
There is a high chance to get a working Sodinokibi decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.
Most of the victims have reported getting a decryption key successfully on getting their data in original form.
Unsecured Remote Desktop Protocols, phishing emails and executing malicious files. These are the primary reasons of how Sodinokibi infects and encrypts your system.
| SODINOKIBI / REVIL RANSOMWARE SUMMARY | |
|---|---|
| Name | Sodinokibi / REvil Virus - Sodinokibi / REvil Ransomware |
| Danger level | Very High. Advanced Ransomware which makes system changes and encrypts files |
| Release date | March 31st, 2019 |
| OS affected | Microsoft Windows |
| Appended file extensions | Uses random 6-character extensions |
| Ransom note | "[000000]-HOW-TO-DECRYPT.txt" or "[000000]-readme.txt" |
| Contact email address | Payment is accepted through automated TOR site |
This is an average Sodinokibi / REvil ransomware note.
—=== Welcome. Again. ===—
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion XXX000.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjpp453534556nf6aq2342nmyoyd.onion/XXXXXXXXX2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/934324XXXXXWarning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:<unique-ID>
Extension name:
XXX000
—————————————————————————————–
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “[000000]-HOW-TO-DECRYPT.txt” or “[000000]-readme.txt” and contains all the necessary information to contact the Sodinokibi / REvil Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.
Sometimes the attackers leave the encrypted files without any Sodinokibi ransomware notes. The file name usually does not contain any unique identifier and it is only the file extension that is replaced to 6 random characters.
By loading the video, you agree to YouTube's privacy policy.
Learn more
This is an average Sodinokibi / REvil ransomware attack. Copyright by Siam Alam
By loading the video, you agree to YouTube's privacy policy.
Learn more
This is a demonstration of the Sodinokibi ransomware decryptor. Copyright by BeforeCrypt
We have extensive experience in decrypting files infected by Sodinokibi ransomware. There are a few publicly available Sodinokibi decrypt tools that can decrypt older versions of Sodinokibi, but in our experience the only way to get a working decryption tool in most cases is from the attackers.
We advise against paying the attackers if at all possible; however, if the damage done is too high, sometimes there is no other option. We actively research and keep records on as many active ransomware gangs as we can. We then use our accumulated data to safely and securely negotiate a lower ransom price if possible, with full legal compliance and complete insurance documentation.
Obtaining the decryption tool usually takes somewhere between 24 and 72 hours. Once we have it, decrypting the files is usually a matter of hours, depending on the amount of encrypted data. Sometimes the ransomware tools provided by attackers are defective, so we import the private keys into our own software. We fully back up all encrypted files to ensure there is no data loss in the event that something goes wrong during the recovery process.
For emergency situations, we provide 24 hour service; simply fill out the Ransomware Data Recovery form, or call one of our customer service numbers listed above. If you want to learn more about Sodinokibi ransomware itself, please visit the Sodinokibi ransomware variant page.
You will receive a decryptor executable, mostly called “000XXX-Decryptor.exe”. The decryptor can decrypt single files, folders or the entire computer including network drives, external HDDs and other removable devices. You also have the option to create a backup of the files, before starting the decryption process.
The Sodinikibi decryptor is completely individual for each victim ID. A decryptor.exe which you get from another victim, who has already received a Sodinokibi decryptor, will not work for you.
Sodinokibi ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Sodinokibi ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.
The most common attack vector for Sodinokibi ransomware is utilized through email phishing with malicious attachments. It is followed up by an unsecured RDP-Connection (Remote Desktop Protocol) and security vulnerabilities. The cybergang behind this form of ransomware is extremely proactive in distributing and encrypting the data.
But just like any other ransomware distribution, Sodinokibi can also be spread when you click on a suspicious link and/or download a file from a torrent website. You never know which file downloaded could blow away your entire network security in a matter of hours, if not minutes.
Sodinokibi ransomware encrypts files with a Salsa20 stream cipher algorithm. The key is encrypted using the AES-256-CTR algorithm (curve25519).
If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network.
If you get hit by ransomware, a professional ransomware response service can help to identify and patch security gaps.
In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.
