Sodinokibi Ransomware Recovery

Is your company infected by the Sodinokibi Ransomware? If yes, then it’s a critical situation. We are here to provide you with every possible information about Sodinokibi ransomware (a.k.a REvil and Sodin), decryption, recovery, removal and statistics. Go through our detailed ransomware recovery process or Get a FREE quote now.

Don’t wait before it causes more damages to your network.


How do I know if Sodinokibi Ransomware has infected my system?

Sodinokibi / REvil Ransomware are Trojans that encrypt your entire PC or individual files. With a popup message, you are then given instructions of paying a specific ransom amount to decrypt your files.

First identified back on 17th April, 2019, the gang behind this virus is GOLD SOUTHFIELD group, which deploys Ransomware-as-service model to distribute the exploit kits, attack unprotected RDP servers, and install backdoor software. Some researchers claim that REvil is closely linked with the GandCrab ransomware.

  • Here is how REvil / Sodinokibi ransomware infects your computer or network:
  • A popup message stating about the encryption of your data and paying a ransom.
  • Sodinokibi will change the filename extensions to 0.686l0tek69
  • Your wallpaper will be changed.
  • You receive a 686l0tek69-HOW-TO-DECRYPT.txt file with the message on how to pay the ransom and recover your files
  • Your CPU utilization peaks at 100%
  • Your hard drives continue processing data in the background, making your system extremely sluggish.
  • You are barely able to open any application including your antivirus software, which gets deactivated.

What should I do when my data has been encrypted by Sodinokibi Ransomware?

  1. Right away disconnect your system and any associated backup hard drives from the network to prevent the spread of virus. For more information, visit Ransomware Information site.
  2. Do not work on your own in recovering the files. Leave the data recovery process to experts.
  3. Do not use any free decryptors because mostly the decryption key is only available with the hackers, which will be used to decrypt your data.

How Does BeforeCrypt Help me in Recovering my Data from REvil Ransomware?

BeforeCrypt can help you as a serious and highly-effective partner should you be infected by Sodinokibi ransomware. We understand how dire the situation is and here’s how we’ll help you:

  1. FREE Damage assessment and quote.
  2. Timeframe communicated in advance.
  3. We will remotely access your network and provide and estimation of data recovery.

While not recommended, paying ransom may be the only option left to recover your data. Let honest and credible experts do this for you, and we’ll make sure that the communication with the hackers on your behalf will be totally transparent.

We have a 100% data recovery success rate and have helped our clients infected by the nasty REvil Sodinokibi Ransomware to decrypt their files. Our expert negotiation with the hackers enables us to bring down the ransom demands and save you on the costs.

Call NOW for a Free quote!

Ransomware Recovery Ransomware Decryption


Compared with other ransomware variants, ransom amounts demanded by Sodinokibi criminals are much lower. The cyber criminals use a dark web browser TOR to automate their revenues and manage costs.

But that doesn’t mean that these hackers weren’t smart enough to demand a hefty extortion amount based on the organizational size. The average Sodinokibi ransom amount is somewhere between $2,500–$260,000, with some victims reporting as high as $650,000 demand. But it isn’t limited to the ransom demand.

Victims are faced with unexpected costs in buying and transferring bitcoins, mostly the 10% exchange fees applying to the quick buy methods of Paypal and/or Credit Cards.

  • Sodinokibi Ransomware average ransom in USD $

The Sodinokibi ransomware downtime is a relatively shorter than normal ransomware attacks, since most attackers use automated TOR sites for accepting payments and expediting the process.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

You need to get your systems back up and hit the ground running as soon as possible. We’ll ensure minimum downtime once you let experts like BeforeCrypt to manage your situation and recover data.

  • Sodinokibi
  • All Ransomware

There is a high chance to get a working Sodinokibi decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

Most of the victims have reported getting a decryption key successfully on getting their data in original form.

  • Paid Decryption Successful
  • Paid Decryption Failed

Unsecured Remote Desktop Protocols, phishing emails and executing malicious files. These are the primary reasons of how Sodinokibi infects and encrypts your system.

  • Remote Desktop (RDP)
  • Phishing Emails
  • Security vulnerabilities
NameSodinokibi / REvil Virus - Sodinokibi / REvil Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release dateMarch 31st, 2019
OS affectedMicrosoft Windows
Appended file extensionsUses random 6-character extensions
Ransom note"[000000]-HOW-TO-DECRYPT.txt" or "[000000]-readme.txt"
Contact email addressPayment is accepted through automated TOR site


Sodinokibi Ransomware Note #1: TOR website


This is an average Sodinokibi /  REvil ransomware note.

Sodinokibi Ransomware Note #2: Text file


—=== Welcome. Again. ===—

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion XXX000.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjpp453534556nf6aq2342nmyoyd.onion/XXXXXXXXX

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “[000000]-HOW-TO-DECRYPT.txt” or “[000000]-readme.txt” and contains all the necessary information to contact the Sodinokibi  / REvil Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.

Sodinokibi Ransomware Note #3: No Ransom Note At All


Sometimes the attackers leave the encrypted files without any Sodinokibi ransomware notes. The file name usually does not contain any unique identifier and it is only the file extension that is replaced to 6 random characters.

“file name.pdf.XXX000”



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is an average Sodinokibi / REvil ransomware attack. Copyright by GrujaRS / Predrag Grujić.



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is a demonstration of the Sodinokibi ransomware decryptor. Copyright by BeforeCrypt GmbH


Yes, we can help you to decrypt Sodinokibi ransomware variants. Depending on the variant and version of Sodinokibi ransomware, it could be possible that there is a Sodinokibi decryptor or a recovery option available. Please fill out the Ransomware Data Recovery form, if you need help from ransomware experts in this emergency situation.  You can also use free websites to check for a public available Sodinokibi decryptor method, too. If you want to learn more about Sodinokibi ransomware itself, please visit the Sodinokibi ransomware variant page.

You will receive a decryptor executable, mostly called “000XXX-Decryptor.exe”. The decryptor can decrypt single files, folders or the entire computer including network drives, external HDDs and other removable devices. You also have the option to create a backup of the files, before starting the decryption process.

The Sodinikibi decryptor is completely individual for each victim ID. A decryptor.exe which you get from another victim, who has already received a Sodinokibi decryptor, will not work for you.

Sodinokibi ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Sodinokibi ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Sodinokibi ransomware is by utilized email phishing with malicious attachments. It is followed up by an unsecured RDP-Connection (Remote Desktop Protocol) and security vulnerabilities.

Sodinokibi ransomware encrypts files with a Salsa20 stream cipher algorithm. The key is encrypted using the AES-256-CTR algorithm (curve25519).

  1. We can reduce your downtime from ransomware significantly. We deal with over a hundred cases every year. We know what to do to keep the downtime for your company to an absolute minimum. You can benefit from our expert knowledge and don’t need to do time-intensive researches by yourself. Most of our cases are completely resolved within 24-72 hours after we begin the recovery process.

  2. Don’t deal with criminals directly. Most companies don’t feel comfortable dealing with cyber-criminals. It can add a layer of stress and risk in this emergency. We handle all communication with the criminals for you according to all applicable laws and regulations to restore your data as fast as possible.

  3. Instant Ransomware Payment. We don’t recommend that you pay the ransom. But sometimes there’s no other way if backups and normal recovery methods fail. If you try to buy Bitcoins yourself, an intensive know-your-customer process is usually required, which takes 2-6 days for large amounts. To save you this trouble, we always have Bitcoins in stock and can make payments instantly.

  4. We don’t damage your data. We always use industry best practices to back-up your encrypted data, remove the Ransomware trojan and then restore your data with normal recovery methods or decrypt the data with the official software. This standardized process ensures that your data won’t get damaged and that the ransomware no longer spreads on your network.

  5. Easy Insurance Reporting: You receive a detailed report and a sample letter to easily submit all necessary information to your cyber-insurance. Cyber-insurance usually covers a huge part of the costs involved with ransomware incidents.
  1. Backup, Backup, Backup! Use a separate backup destination like a secure cloud storage provider or a local backup medium which is physically disconnected after a successful backup run.
  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR).
  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features.

Load More

Need fast help with Sodinokibi ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data