Sodinokibi

31
Global rank
48
Month rank
44
Week rank
20
IOCs

Sodinokibi, also called Revil, is dangerous ransomware-type malware. Among other tools, it uses advanced encryption techniques and can operate without connection to control servers. Sodinokibi is among the most complex Ransomware in the world.

Ransomware
Type
ex-USSR
Origin
1 April, 2019
First seen
23 April, 2023
Last seen
Also known as
REvil
Sodin

How to analyze Sodinokibi with ANY.RUN

Ransomware
Type
ex-USSR
Origin
1 April, 2019
First seen
23 April, 2023
Last seen

IOCs

IP addresses

No IP adresses found

Hashes
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b
67c4d6f5844c2549e75b876cb32df8b22d2eae5611feeb37f9a2097d67cc623e
06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851
246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb
9ae7ab0afccf76719a56fbf5c016995aa52043b2d4649b4f9f8822d31f5e5296
40488a3a3bd18f1712759beb09c8897b3c349de3b8a9eff86f42474acd29fa6e
c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1
b16b7acfd8780bf4074cd156075277b5abfdff56ec68085a9c0d504a892477b0
5c889a3d7b374f16dba7ad433b79629665aa60b09325e33c7b5d282d2afdf361
57d0cb1a293622d4c7467a7190caeeb1b7c35783e00bce81f0c8763812e32a26
f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4
d621795f5d960a48a332cfed70e1c5ec4f64e02273c82ec4fe03f68b4afd31c4
51372400bbe34a1744901245949fba88e6150ab7a1c7bc0a9b3b4d64bf792eff
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016
a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f
29e5da1f13de425e105f065be573793c41e5bf693cf874cdaac69bd85c499dfd
8d062ef67164e32810218ec6349ed426e52530202d76760cd7d32db2736d59dc
dffded6bd5b6a13e6625b48336ebb921dd2f980cf29bed0abfc1ed117dd0c080
Domains

No hashes found

Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Sodinokibi ransomware?

Sodinokibi, sometimes also called REvil, is ransomware-type malware - it encrypts files on infected machines and demands a ransom from the victims to restore the files. Sodinokibi is distributed with a Ransomware-as-a-Service business model, allowing anybody who can pay can become an operator of the virus.

Sodinokibi is very sophisticated ransomware, seemingly developed by a group with vast experience in the field. It bears a lot of similarities to another malware called GandCrab - so much so, in fact, that it is believed to be created by the same group of cybercriminals. However, Sodinokibi can be considered a much-upgraded version than previous ones.

Sodinokibi ransomware is capable of encrypting files with curve25519/Salsa20 and encrypting keys with curve25519/AES-256-CTR. The malware uses 2 public keys to encrypt the private key of the user. In addition, this virus utilizes command and control server obfuscation and can operate using the asymmetric key scheduling algorithm, which allows the malware to function without connection to the C2.

General description of Sodinokibi

Sodinokibi first appeared on the radar of cybersecurity researchers in April of 2019, when the malware was featured in a campaign that exploited the Oracle WebLogic Server vulnerability.

The campaign began shortly before another similar malware called GandCrab was officially shut down for good. Some researchers believe that Sodinokibi is a “spiritual successor” of that malware, while others support the theory that it is, in fact, the next generation of the same virus. Some evidence suggests the theory to be correct.

Among such evidence are the vast similarities in the code of both malware and the fact that in the early stages of the Sodinokibi life cycle, criminals used to deploy GandCrab after running Sodinokibi on all infected machines as a precaution, likely because Sodinokibi wasn’t yet thoroughly tested in operation.

Another piece of evidence in favor of this theory is an attack that took place in February 2019, when GandCrab was used to infect victims by compromising Managed Service Providers. Sometime after, the same attack took place, and it featured Sodinokibi ransomware.

In addition, the fact that Sodinokibi malware became popular as its predecessor started to cease operations can not be ignored, and it would be strange to think about it as a coincidence. In addition to that, both malware use very similar distribution methods - something we will explore later in the article.

Finally, it is thought that GandCrab authors started “feeling the heat” and, while worried that their operation can be uncovered, decided to go under the radar by terminating sales in favor of a more advanced malware that could be sold to private parties.

Of course, neither of these points is solid evidence, and we can only imagine that both viruses result from the work of the same people.

Let’s talk about the behavior of Sodinokibi ransomware.

At the beginning of the execution process, the malware generates a mutex that has a hardcoded name. Then, it decrypts a configuration that is embedded. At this stage, Sodinokibi tries to get system privileges by exploiting CVE-2018-8453. In some cases, this step can be omitted in configuration or may not be successful. Then, it tries to obtain privileges by running as an admin.

Following the privilege escalation stage, the ransomware collects basic system and user data. If it finds that the UI or keyboard layout is set to one of the pre-programmed languages, the execution will be terminated. Many of these languages originate from post-USSR territories, suggesting that the malware authors also come from ex-USSR lands.

When the target PC lacks the specified UX or keyboard layout languages, the virus terminates processes by PRC value and proceeds to erase shadow copies. At this point, the data encryption process begins. The ransomware encrypts all user files unless some exceptions are found in the configuration. This is where an attacker can customize their campaign. An extension is then added to all encrypted documents, and a README text is placed in directories. The wallpaper is changed to the ransom demand message.

The attackers can customize the contents of the ransom note and the README file in the config file, which, once again, provides the malware with flexibility which allows it to operate as ransomware-as-a-service since different attackers can demand ransoms of various sums and provide custom instructions to victims.

Sodinokibi ransomware analysis

ANY.RUN provides the ability to watch the Sodinokibi in action and perform the ransomware analysis via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by Sodinokibi during its life cycle.

workstation desktop after Sodinokibi infection Figure 2: Wallpapers with ransom message set by Sodinokibi

Sodinokibi execution process

Sodinokibi won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to other ransomware - it decrypts files, erases shadow copies, and places ransom notes across the file system. Process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number. It should be noted that Sodinokibi will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets the background wallpaper to a ransom message.

Interestingly, the authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins, and where to send them as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

How does Sodinokibi spread?

To infiltrate the machines of its victims, Sodinokibi takes advantage of quite some infection vectors, most of which are very similar to its predecessor - GandCrab.

The RAAS is known to utilize the CVE-2019-2725 vulnerability and use the RIG exploit kit. Additionally, Sodinokibi also spreads via compromised managed service providers. And, like icing on the cake, on top of the attack vectors mentioned above, this ransomware is often distributed in malicious spam campaigns.

Sodinokibi communication with C&C

Interestingly, while many ransomware needs to connect to C2 for exchanging encryption keys, for example Maze, Sodinokibi uses something called an asymmetric key scheduling algorithm.

It enables the RAAS to operate without any network connection and not giving the user any chance to get their hands on data that could help with file decryption. However, attackers can optionally establish a connection with the control server to retrieve general system data from infected machines by tweaking the config file.

System and user data then will be transmitted to a broad list of web domains, many of which look completely real and legal - possibly compromised WordPress websites, many of which can be included to hide the real C&C web address. In return, Sodinokibi can receive and read the response from the server, but it is not being saved or used in any way during the operation.

How to prevent Sodinokibi attacks?

While the use of vulnerabilities allows this ransomware to infected machines without active user actions, basic rules of online hygiene can still greatly decrease the probability of “catching” this virus.

In particular, not downloading attachments in suspicious emails or emails that arrived from unknown senders and keeping the macros disabled in Microsoft Office completely guarantees that one won’t be infected with Sodinokibi via a malicious spam email campaign.

How to get more information from Sodinokibi ransomware analysis?

Since crooks behind Sodinokibi offer decryption of three images for free, you can use the interactivity of ANY.RUN to take additional steps in your ransomware analysis. Open the website specified in a ransom note in the browser and follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: Sodinokibi payment website

Conclusion

Since its introduction in 2019, thousands of computers were already infected with Sodinokibi, and this malware is continuing to be an ongoing danger.

Borrowing much of the functionality from already quite powerful GandCrab ransomware, Sodinokibi improves on it even further to become a real powerhouse of ransomware. Unfortunately, evidence suggests that this malware is developed by experienced cybercriminals who know how to build and distribute a virus. Its accessibility, thanks to malware as a service business model, makes it a real threat to businesses and individuals worldwide.

Thankfully, malware analysis services like ANY.RUN allow cybersecurity researchers to study such threats and prepare their defenses accordingly.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy