Malware analysis

Malware spotlight: Sodinokibi

Greg Belding
April 9, 2020 by
Greg Belding


Ransomware is not new at this point in time and will be with us for the foreseeable future, as new types of ransomware are constantly emerging. And sometimes, new ransomware makes a big impact fast. 

Sodinokibi is one of these strains of malware that needs to be taken seriously. Within four months of its discovery, it had managed to become the fourth most common ransomware on the internet! 

This article will provide you with a high-level view of the Sodinokibi ransomware. We’ll explore what it is, how it spreads, how it works and other useful information about this ransomware. 

What is Sodinokibi?

Sodinokibi was originally discovered in April 2019 by Cisco Talus and is sometimes referred to as Sodin and REvil. This ransomware-as-a-service (RaaS) targets Windows operating systems. It was originally discovered exploiting an Oracle WebLogic vulnerability and has been observed only affecting countries outside of the former states of the USSR. 

Part of what makes Sodinokibi so interesting is its origin. This goes back to the end of the GandCrab campaign, which has earned the notoriety of being responsible for 40% of all ransomware infections worldwide. This ransomware, like Sudinokibi, was a RaaS, and the cybercriminal gang behind it boasted earnings of over $2 billion dollars collected from victim ransom payments. 

Administrators of GandCrab had announced their retirement, which was apparently a retirement of GandCrab itself and not their campaigns for ill-gotten wealth. Instead, they shifted their focus to Sodinokibi, which has been described as being a “lucrative in the extreme” scheme for its authors.

It should be noted that whether Sodinokibi is the creation of the GandCrab gang is technically still not known, but there are some key indicators that it indeed is. To start, researchers have observed a clear code overlap between Sodinokibi and GandCrab. This has led researchers at security firm Secureworks to conclude that the groups behind the two ransomware families “overlap or are linked.”

Another interesting connection is that past affiliates of GandCrab have been identified as spending Bitcoin they received from Sodinokibi ransom payments at Hydra Market. Hydra is an infamous Russian cybercrime marketplace where cybercriminals trade illicit goods and services for Bitcoin. While this still is not definitive proof that the authors of the two ransomware are the same, these connections are likely not mere coincidence. 

How does Sodinokibi spread?

This ransomware is spread via many different methods, including spam campaigns, exploit kits, managed service providers, remote desktop protocols and unpatched VPNs. Several instances were discovered in April 2019 to have been dropped onto compromised servers and systems with zip files containing malicious script (JavaScript) via a malicious link in emails, which sheds light on a rather conventional ransomware-spreading method that required user interaction. 

Fast-forward just a few months and Sodinokibi is most notably spread via its RaaS affiliate network that does not require user interaction. It should be noted that as of this writing, Sodinokibi does not currently self-propagate. 

The effectiveness of Sudinokibi stems in part from the fact that Sodinokibi zip files have a very low rate of detection on VirusTotal. This means that most antivirus products will not flag initial payloads as being malicious. As such, the first level of defense for most organizations will be bypassed completely, which may be all it needs to establish the proverbial beachhead on a machine.

How does Sodinokibi work?

After Sodinokibi is installed, it immediately gets to work. The ransomware begins by creating a .txt file with the path of the encrypted files, with a random extension followed by -HOW-TO-DECRYPT.txt. Commands are then issued for Shadow Volume Copies to be deleted, as well as to disable Windows Startup Repair. 

Sodinokibi then encrypts files on a compromised computer and adds a random extension on each encrypted file that is unique to the computer. These extensions include a sizeable list of extensions such as .Jpeg, .Jpg, .tif, .raw, .bmp, .png, .max, .3dm, .db, .accdb, .mdb, .dxf, .dwg, .cs, .cpp, .asp, .php, .java, .gif and more. This process is done without the user having any knowledge of it until what happens next.

When encryption is complete, that’s when the user’s world is upended. Sodinokibi changes the desktop background to a ransom note that tells the user how much Bitcoin will be required to decrypt their important files; this amount can vary, but anywhere from .32 to .41 Bitcoin can be expected. Sometimes they go into the millions of dollars if the victim organization is well-established with deep pockets. This ransom note also contains instructions about how the user can decrypt their files, including links to a website where they can make their ransom payment and unique keys. 

Vulnerabilities it exploits

As mentioned earlier, Sodinokibi can propagate by exploiting vulnerabilities. While this is not an exclusive list, some of its favorite ones to exploit are:

  • CVE-2019-2725: A vulnerability impacting Oracle WebLogic Server 
  • CVE-2018-8453: This a vulnerability of a Win32k.sys component involving privilege escalation


Sodinokibi is a prolific instance of ransomware that has quickly established itself as one of the most common ransomware families on the internet today, and if you consider its ability to sidestep the first layer of information security protection used by many organizations, we are looking at potentially the internet’s top ransomware threat relatively soon. 

The good thing is that standard cybersecurity training measures will go the distance in preventing this ransomware from impacting you and forcing your organization to have to pay thousands or even millions of dollars to decrypt your important files.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Dissecting the threat from Sodinokibi ransomware, Cyware News
  2. Sodinokibi: The Crown Prince of Ransomware, Cybereason
  3. Unpatched VPN makes Travelex latest victim of “REvil” ransomware, Ars Technica
  4. Sodinokibi Ransomware Gang Appears to Be Making a Killing, Bank Info Security
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.