Sodinokibi Ransomware Recovery

Did Sodinokibi ransomware infect your network? If so, it may be an emergency, but don’t panic. We are here to provide you with all the resources you need about Sodinokibi decryption, recovery, removal and statistics. Go through our detailed ransomware recovery process or get a FREE quote now.

Don’t wait before it causes more damage to your network.


How do I know if Sodinokibi Ransomware has infected my system?

Sodinokibi / REvil Ransomware are Trojans that encrypt your entire network or specific machines of value. Upon notice of an attack, you are then given instructions of paying a specific amount in ransom to decrypt your files.

First identified circa 17th April, 2019, the gang behind this virus is allegedly the GOLD SOUTHFIELD group, which deploys Ransomware-as-service model to distribute exploit kits, attack unprotected RDP servers, and install backdoor payloads. Some researchers suspect that REvil is closely linked with the GandCrab variant of ransomware.

  • Here is how REvil / Sodinokibi ransomware infects your computer or network:
  • A popup message stating about the encryption of your data and paying a ransom.
  • Sodinokibi will change the filename extensions to 0.686l0tek69
  • Your wallpaper will be changed.
  • You receive a 686l0tek69-HOW-TO-DECRYPT.txt file with the message on how to pay the ransom and recover your files
  • Your CPU utilization peaks at 100%
  • Your hard drives continue processing data in the background, making your system extremely sluggish.
  • You are barely able to open any application including your antivirus software, which gets deactivated.

What should I do when my data has been encrypted by Sodinokibi Ransomware?

  1. Disconnect your systems right away and isolate any associated backup hard drives from the network to prevent the spread of the ransomware encryption. For more information, visit Ransomware Information site.
  2. Do not attempt to contact ransomware attackers to recover your files, it will only complicate the situation.
  3. Call in experts immediately to assess the damage and review possible recovery options and avoid costly consequential failures.

Keep calm! Contact us, we can help you!

Ransomware Recovery Ransomware Decryption


Compared to other ransomware variants, the ransom amounts demanded by Sodinokibi attackers can vary largely. The cyber criminals use a dark web browser known as TOR to automate their operations and manage affiliates.

But that doesn’t mean that these hackers do not have the gumption to demand a hefty extortion amount based on organizational size. The average Sodinokibi ransom amount is somewhere between $2,500–$260,000, with some victims reporting demands well into the millions of dollars. But it isn’t limited to the ransom demand.

Victims are faced with unexpected costs in buying and transferring bitcoins, mostly the 10% exchange fees applying to the quick buy methods of Paypal and/or Credit Cards. Along with potential threats to have their personal and business information leaked or sold on the internet if demands are not met.

The Sodinokibi ransomware downtime is a relatively shorter than normal ransomware attacks, since most attackers use automated TOR sites for accepting payments and expediting the process.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

You need to get your systems back up and hit the ground running as soon as possible. We’ll ensure minimum downtime once you let experts like BeforeCrypt to manage your situation and recover data.

There is a high chance to get a working Sodinokibi decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

Most of the victims have reported getting a decryption key successfully on getting their data in original form.

Unsecured Remote Desktop Protocols, phishing emails and executing malicious files. These are the primary reasons of how Sodinokibi infects and encrypts your system.

NameSodinokibi / REvil Virus - Sodinokibi / REvil Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release dateMarch 31st, 2019
OS affectedMicrosoft Windows
Appended file extensionsUses random 6-character extensions
Ransom note"[000000]-HOW-TO-DECRYPT.txt" or "[000000]-readme.txt"
Contact email addressPayment is accepted through automated TOR site


Sodinokibi Ransomware Note #1: TOR website


This is an average Sodinokibi /  REvil ransomware note.

Sodinokibi Ransomware Note #2: Text file


—=== Welcome. Again. ===—

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion XXX000.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjpp453534556nf6aq2342nmyoyd.onion/XXXXXXXXX

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “[000000]-HOW-TO-DECRYPT.txt” or “[000000]-readme.txt” and contains all the necessary information to contact the Sodinokibi  / REvil Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.

Sodinokibi Ransomware Note #3: No Ransom Note At All


Sometimes the attackers leave the encrypted files without any Sodinokibi ransomware notes. The file name usually does not contain any unique identifier and it is only the file extension that is replaced to 6 random characters.

“file name.pdf.XXX000”



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is an average Sodinokibi / REvil ransomware attack. Copyright by Siam Alam



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is a demonstration of the Sodinokibi ransomware decryptor. Copyright by BeforeCrypt


We have extensive experience in decrypting files infected by Sodinokibi ransomware. There are a few publicly available Sodinokibi decrypt tools that can decrypt older versions of Sodinokibi, but in our experience the only way to get a working decryption tool in most cases is from the attackers.

We advise against paying the attackers if at all possible; however, if the damage done is too high, sometimes there is no other option. We actively research and keep records on as many active ransomware gangs as we can. We then use our accumulated data to safely and securely negotiate a lower ransom price if possible, with full legal compliance and complete insurance documentation.

Obtaining the decryption tool usually takes somewhere between 24 and 72 hours. Once we have it, decrypting the files is usually a matter of hours, depending on the amount of encrypted data. Sometimes the ransomware tools provided by attackers are defective, so we import the private keys into our own software. We fully back up all encrypted files to ensure there is no data loss in the event that something goes wrong during the recovery process.

For emergency situations, we provide 24 hour service; simply fill out the Ransomware Data Recovery form, or call one of our customer service numbers listed above. If you want to learn more about Sodinokibi ransomware itself, please visit the Sodinokibi ransomware variant page.



You will receive a decryptor executable, mostly called “000XXX-Decryptor.exe”. The decryptor can decrypt single files, folders or the entire computer including network drives, external HDDs and other removable devices. You also have the option to create a backup of the files, before starting the decryption process.

The Sodinikibi decryptor is completely individual for each victim ID. A decryptor.exe which you get from another victim, who has already received a Sodinokibi decryptor, will not work for you.

Sodinokibi ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Sodinokibi ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Sodinokibi ransomware is utilized through email phishing with malicious attachments. It is followed up by an unsecured RDP-Connection (Remote Desktop Protocol) and security vulnerabilities. The cybergang behind this form of ransomware is extremely proactive in distributing and encrypting the data.

But just like any other ransomware distribution, Sodinokibi can also be spread when you click on a suspicious link and/or download a file from a torrent website. You never know which file downloaded could blow away your entire network security in a matter of hours, if not minutes.


Sodinokibi ransomware encrypts files with a Salsa20 stream cipher algorithm. The key is encrypted using the AES-256-CTR algorithm (curve25519).


  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. We guide you through the whole process of creating a crypto currency wallet and buying the crypto currency with you. Therefore we have different cooperation partner in order to prepare your wallet and do the transaction as quick and easy as possible for you. 

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware response service can help to identify and patch security gaps. 

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

Need fast help with Sodinokibi ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data