Sodinokibi Ransomware Recovery

Has Sodinokibi Ransomware hit your company? If files got encrypted and backups fail, it is a company wide emergency. This site provides all the important information about the Sodinokibi ransomware (a.k.a REvil and Sodin) itself, decryption, recovery, removal and statistics. Please review the information below or contact our support team, to get fast help with Sodinokibi ransomware recovery.


How do I know if Sodinokibi Ransomware has infected my system?

Sodinokibi / REvil Ransomware are Trojans that encrypt your entire PC or individual files. The Ransomware Trojan then asks you to pay a ransom to decrypt the data again.

  • There are a number of signs pointing to a REvil / Sodinokibi ransomware infection:

  • You receive a message that your data is encrypted and that you have to pay a ransom.
  • The names of your files or file extensions change suddenly
  • The desktop wallpaper has suddenly disappeared
  • CPU utilization is 100%, although you hardly use any applications
  • Your computer reacts very slowly to commands
  • The hard disk seems to process data without pause
  • Your virus protection is deactivated and cannot be started

What should I do when my data has been encrypted by Sodinokibi Ransomware?

Shut down your computer or server in the usual way and disconnect all network connections immediately, including any data storage devices and online cloud storage. For more details please visit the Ransomware Information site.

Do not pay the ransom or try to remove the Sodinokibi ransomware trojan on your own. You should leave the removal of ransomware and, the subsequent recovery of your valuable company data, exclusively to experts.

BeforeCrypt can help you as a serious and highly-effective partner should you be infected by Sodinokibi ransomware. Thanks to our experience and knowledge, we can recover 100% of your encrypted data in most cases.

Keep calm! Contact us, and we can help you!

Ransomware Recovery Ransomware Decryption


Sodinokibi ransom amounts are usually a little lower than other ransomware as attackers use automated TOR sites to reduce their costs.

However, these attackers have been known to demand for varying amounts based on their perceived idea of the size of the organization. The average Sodinokibi ransom amount is somewhere between $2,500–$260,000. There have been some attackers who have demanded for $650,000. In addition, approximately 10% of Bitcoin exchange fees will apply to the use of quick-buy methods such as PayPal or credit card.

  • Sodinokibi Ransomware average ransom in USD $

The Sodinokibi ransomware downtime is a relatively shorter than normal ransomware attacks. Most attackers use automated TOR sites for accepting payments and this expedites the process.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

Your goal should be to get your systems back to a productive state as soon as possible. The best way to do this is to call in experts, which have a vast knowledge of Sodinokibi ransomware and get the IT-systems back up running.

  • Sodinokibi
  • All Ransomware

There is a high chance to get a working Sodinokibi decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

  • Paid Decryption Successful
  • Paid Decryption Failed

The most common attack vector for Sodinokibi ransomware is an unsecured RDP-Connection (Remote Desktop Protocol). Followed up by phishing emails and security vulnerabilities.

  • Remote Desktop (RDP)
  • Phishing Emails
  • Security vulnerabilities
NameSodinokibi / REvil Virus - Sodinokibi / REvil Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release dateMarch 31st, 2019
OS affectedMicrosoft Windows
Appended file extensionsUses random 6-character extensions
Ransom note"[000000]-HOW-TO-DECRYPT.txt" or "[000000]-readme.txt"
Contact email addressPayment is accepted through automated TOR site


Sodinokibi Ransomware Note #1: TOR website


This is an average Sodinokibi /  REvil ransomware note.

Sodinokibi Ransomware Note #2: Text file


—=== Welcome. Again. ===—

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion XXX000.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjpp453534556nf6aq2342nmyoyd.onion/XXXXXXXXX

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:


Extension name:



!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “[000000]-HOW-TO-DECRYPT.txt” or “[000000]-readme.txt” and contains all the necessary information to contact the Sodinokibi  / REvil Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.

Sodinokibi Ransomware Note #3: No Ransom Note At All


Sometimes the attackers leave the encrypted files without any Sodinokibi ransomware notes. The file name usually does not contain any unique identifier and it is only the file extension that is replaced to 6 random characters.

“file name.pdf.XXX000”



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is an average Sodinokibi / REvil ransomware attack. Copyright by GrujaRS / Predrag Grujić.



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is a demonstration of the Sodinokibi ransomware decryptor. Copyright by BeforeCrypt GmbH


Yes, we can help you to decrypt Sodinokibi ransomware variants. Depending on the variant and version of Sodinokibi ransomware, it could be possible that there is a Sodinokibi decryptor or a recovery option available. Please fill out the Ransomware Data Recovery form, if you need help from ransomware experts in this emergency situation.  You can also use free websites to check for a public available Sodinokibi decryptor method, too. If you want to learn more about Sodinokibi ransomware itself, please visit the Sodinokibi ransomware variant page.

You will receive a decryptor executable, mostly called “000XXX-Decryptor.exe”. The decryptor can decrypt single files, folders or the entire computer including network drives, external HDDs and other removable devices. You also have the option to create a backup of the files, before starting the decryption process.

The Sodinikibi decryptor is completely individual for each victim ID. A decryptor.exe which you get from another victim, who has already received a Sodinokibi decryptor, will not work for you.

Sodinokibi ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the Sodinokibi ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for Sodinokibi ransomware is by utilized email phishing with malicious attachments. It is followed up by an unsecured RDP-Connection (Remote Desktop Protocol) and security vulnerabilities.

Sodinokibi ransomware encrypts files with a Salsa20 stream cipher algorithm. The key is encrypted using the AES-256-CTR algorithm (curve25519).

  1. We can reduce your downtime from ransomware significantly. We’re dealing with over a hundred cases every year. We know what to do, to keep the downtime for your company to an absolute minimum. You can benefit from our expert knowledge and don’t need to do time-intensive researches by yourself.

  2. Don’t deal with criminals directly. Most companies don’t feel comfortable dealing with cyber-criminals. It can add a layer of stress in this company-wide emergency. We handle the whole communication with the criminals for you, providing all the necessary information upfront, to restore your data as fast as possible.

  3. Instant Ransomware Payment. We don’t recommend that you pay the ransom. But sometimes there’s no other way if backups and normal recovery methods fail. If you try to buy Bitcoins yourself, you run through an intensive Know-your-customer process, which usually takes2-6 days, if you try to buy higher amounts of Bitcoins. For this case, we always have Bitcoins in stock and can do an instant-payment for you.

  4. We don’t damage your data. In every case, we use best-practice methods to back-up your encrypted data first, remove the Ransomware trojan and then restore your data with normal recovery methods or decrypt the data with the official software. This standardized process ensures that your data won’t get damaged and that the ransomware no longer spreads on your network.

  5. Easy Insurance Reporting: You receive a detailed report and a sample letter, to easily submit this case to your cyber-insurance. Cyber-insurance usually covers a huge part of the costs involved with ransomware incidents.
  1. Backup, Backup, Backup! Use a separated backup destination like a secure cloud storage provider or a local backup medium, which gets physically disconnected after a successful backup run.
  2. Install a Next-Gen-Antivirus. It combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR).
  3. Install a Next-Gen-Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many more.

Load More

Need fast help with Sodinokibi ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data