This post is also available in: Danish

Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal with a lawsuit. If these aren’t serious and bad enough for you to take cybersecurity seriously, let me tell you this: cyberattacks have just turned deadly. It happened this month in Germany,  where “A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.” Speaking of ransomware…you should pay particular attention to Sodinokibi ransomware. 

Sodinokibi ransomware is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom. 

As SecurityBoulevard says, Sodinokibi is “the apparent heir to a strain known as GandCrab. The security community believes GandCrab is responsible for 40 per cent of all ransomware infections globally. It has taken in around $2 billion in ransom. Then, earlier this year, the creators of GandCrab announced the malware’s retirement.” 

Discovered in April 2019, Sodinoki is a highly evasive and upgraded ransomware, which uses a special social engineering move – the ones who spread it threaten to double the ransom if not paid within a certain number of days. This aspect makes Sodinoki ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies. 

How does Sodinokibi ransomware work? 

Most of the times, Sodinokibi ransomware is spread by brute-force attacks and server exploits, but it’s not uncommon either to get infected through malicious links or phishing. Exploiting an Oracle WebLogic vulnerability and often bypassing antivirus software, Sodinokibi downloads a .zip file with the ransom code, written in JavaScript, moves through the infected network and encrypts files, appending a random extension to them. Particularly dangerous is the fact that Sodinokibi may reinstall itself as long as the original ransom code is not deleted. 

Does Sodinokibi ransomware steal data? 

Stealing data from ransomware victims before encrypting devices and using the stolen files as leverage to get paid is a tactic that the Maze Ransomware operators have started to bring into force. Since then, Sodinokibi, DoppelPaymer and Nemty followed their lead.  According to BleepingComputer, until March 2020, the Sodinokibi ransomware operators had published over 12 GB of stolen data “allegedly belonging to a company named Brooks International”. Moreover, “other hackers and criminals have started to distribute and sell this data on hacker forums”, as you can see in the image below “where a member is selling a link to the stolen data for 8 credits, which is worth approximately 2 Euros”: 

sodinokibi ransomware - being sold

Source: BleepingComputer

Who fell victim to Sodinokibi ransomware? 

Among the first victims of Sodinokibi ransomware were two Florida states. SecurityBoulevard describes the attacks from May 2019: 

The City of Riviera Beach, Florida, agreed to pay $600,000 for the decryption key to unlock their files. Weeks later, the city of Lake City, Florida, relented to a $450,000 ransom payment as well. Each of these cities faced service disruption after being infected. Some of these services included email, phones, police records, the public works department, the library, 911 emergency, and general offices. Because these towns do not have the personnel or knowledge base to remediate these attacks, paying the ransom seemed to be the best bet.

These attacks were followed by another impressive one, against Texas:  

In a highly coordinated attack, hackers were able to bring down 22 separate municipalities, including the cities of Borger and Keene. The perpetrators of the attack then asked for a collective $2.5 million to release everyone caught in the net. Fortunately, the infected Texas municipalities received state-issued resources from Texas A&M University and the Texas Military Department.

In August 2019, Sodinokibi operators targeted PerCSoft, a company specialized in backup services for UK dental offices: more than 400 dental offices were affected during the attack. PerCSoft claimed that no data was accessed during the attack they presented as a virus infection, but it would appear that “a private Facebook group of IT professionals serving the dental industry shared […] screenshots that hint that the victim firm has paid the ransom to decrypt the data.”  The most notable example of a Sodinokibi ransomware attack is probably the one on Travelex, a famous currency exchange company. On this subject, SecurityBoulevard notes: 

An unnamed source within Travelex disclosed to The Wall Street Journal (WSJ) that the company paid $2.3 million in Bitcoin in an effort to restore functionality to its systems following a ransomware attack. Travelex was hit with a ransomware attack on New Year’s Eve, and it took a couple of weeks to restore some of its basic services, with the consumer side having to wait until February. The breadth of the attack was staggering, as the hackers infiltrated the company’s infrastructure six months before attacking with ransomware. Hackers didn’t just linger around the network. They used the time to exfiltrate valuable information, 5GB in total, which they then used to blackmail the company after deploying ransomware. […] In the Travelex attack, the hackers used Sodinokibi ransomware and an unpatched critical vulnerability in Pulse Secure VPN servers. Companies were warned about this particular VPN vulnerability, but some companies didn’t update their systems in time.

What can you do to prevent Sodinokibi Ransomware? 

As Fernando Ruiz, head of operations at Europol’s European Cybercrime Center says, “Criminals behind ransomware attacks are adapting their attack vectors, they’re more aggressive than in the past – they’re not only encrypting the files, they’re also exfiltrating data and making it available”.  In order to defend your company from this kind of menace, you need to approach the matter from various angles: 

sodinokibi ransomware - prevention strategy

The first one is education-oriented:


This might seem tech-related, but we think of it more as common knowledge: how could you not have backups for your essential data? You should store it both online and offline and take time to test your ability to revert to backups during a potential incident. 

Train your employees!

User awareness is one of the most reliable methods to prevent an attack, so make sure you take the time to educate your employees and advise them to report to the security teams as soon as they notice something unusual. They should be aware of phishing techniques and other social engineering tactics cybercriminals may use to get into your organisation.

The second one – technology-related:

Keep your systems up-to-date. 

Updates help you close security holes that many viruses use to enter your computers. Since dealing with patches is a resource and time-consuming task, the best option for you to stay safe from Sodinokibi and other ransomware would be to deploy an automated solution like our Heimdal™ Patch & Asset Management.  

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal™ Threat Prevention - Endpoint

Is our next gen proactive shield that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Protect your email. 

Many hackers rely on you not paying attention to what your emails actually contain and hope you’ll get infected by opening a malicious attachment or clicking on a fake link. Try to always hover over the links you want to access to make sure they lead where they’re supposed to lead and never open attachments or access links received from unknown, unexpected, or unwanted sources. You should also think about an email protection solution, like our Heimdal™ Email Security

Heimdal Official Logo
Email communications are the first entry point into an organization’s systems.

Heimdal™ Email Fraud Prevention

Is the next-level mail protection system which secures all your incoming and outgoing comunications.
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters to protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise;
Try it for FREE today Offer valid only for companies.

Get a reliable antivirus. 

A good antivirus is essential for the cybersecurity of any company. To be as protected as you can be, we recommend you to choose a powerful tool that can offer DNS filtering, real-time scanning, traffic-based malware blocking and multi-layered AI-powered protection. You can also consider our EDR Software – a multi-layered security suite that brings together threat hunting, prevention, and mitigation in one package, for the best endpoint protection.

Heimdal Official Logo
Simple standalone security solutions are no longer enough.


Is an innovative multi-layered security approach to organizational defense.
  • Next-gen Antivirus & Firewall which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Privileged Access Management and Application Control, all in one unified dashboard
Try it for FREE today Offer valid only for companies.

Wondering what to do in case of infection and how to remove Sodinokibi Ransomware?

In case your company is attacked or you hear that someone you know has troubles with Sodinokibi ransomware, the first thing you should know or tell them is to not pay the ransom! As the FBI says, 

 In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organisation have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable […], and prevent future attacks.

You can try to remove the ransomware and, at least partially, restore your data by following a few steps: 

Step 1: Remove Sodinokibi ransomware through “Safe Mode with Networking”

MalwareGuide explains:  – for Windows XP / Windows 7

Boot the PC in “Safe Mode”. Click on the “Start” option and continuously press on F8 during the start process until the “Windows Advanced Option” menu appears on the screen. Choose “Safe Mode with Networking” from the list. Now, a Windows home screen appears on the desktop and work-station is now working on “Safe mode with networking”.

– for Windows 8

Go to the “Start Screen”. In the search results select settings, type “Advanced”. In the “General PC Settings” option, choose the “Advanced startup” option. Again, click on the “Restart Now” option. The work-station boots to “Advanced Startup Option Menu”. Press on “Troubleshoot” and then “Advanced options” button. In the “Advanced Option Screen”, press on “Startup Settings”. Again, click on the “Restart” button. The work-station will now restart into the “Startup Setting” screen. Next is to press F5 to boot in Safe Mode in Networking.

– for Windows 10

Press on the Windows logo and on the “Power” icon. In the newly opened menu, choose “Restart” while continuously holding the “Shift” button on the keyboard. In the newly open “Choose an option” window, click on “Troubleshoot” and then on the “Advanced Options”. Select “Startup Settings” and press on “Restart”. In the next window, click on the “F5” button on the keyboard.

Step 2: Delete Sodinokibi ransomware using “System Restore”

At this step, MalwareGuide suggests: 

During the “Startup”, continuously press on the F8 key until the “Advanced Option” menu appears. From the list, choose “Safe Mode with Command Prompt” and then press “Enter”. In the newly opened command prompt, enter “cd restore” and then press “Enter”. Type: rstrui.exe and Press “ENTER”. Click “Next” on the new window. Choose any of the “Restore Points” and click on “Next”. (This step will restore the work-station to its earlier time and date prior to Sodinokibi ransomware infiltration in the PC. In the newly opened windows, press on “Yes”.

After the process is complete, you should use an anti-malware tool to scan for any Sodinokibi ransomware files left. 

Sodinokibi Ransomware: Wrapping Up 

Since there is no free decryption tool or a foolproof method that can completely decrypt Sodinokibi ransomware encrypted files and paying the ransom to get your data back from the hackers shouldn’t be an option, prevention remains the most effective approach.  Whatever you choose, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.  Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

Leave a Reply

Your email address will not be published. Required fields are marked *