What is Sodinokibi?
Sodinokibi Ransomware is also known as REvil or Sodin, discovered by S!Ri. It is a ransomware-type program created by cyber criminals to encrypt files stored on victim’s computers and make them pay to access the files. The name of the text file depends on the extension added to the encrypted file. For example, if the extension is “.24759tek99″ (and the encrypted file is renamed from, for example, “1.jpg” to “1.jpg.24759tek99”), the ransom message filename will be called “24759tek99-HOW-TO-DECRYPT.txt”.
The victims get a message from the hacker explaining how the victims can pay them in order to decrypt their file, along with two websites links where the victims should pay them. The victims get two days to pay a ransom of $2500 and later, the cost is doubled to $5000. After the payment, the victims can reload the website and they will get the decrypt tool to download for their files. According to cybercriminal, if the victim uses third party tools to decrypt the file then it will be a big problem to the victim. They will lose their data permanently, and unfortunately there are no such tools created to decrypt the files which are encrypted by Sodinokibi ransomware.
How does the ransomware infect a computer?
Malicious programs such as spam, campaigns, Trojan, software ‘cracking’ tools, fake software updaters and dubious software download sources are most commonly used ways to proliferate ransomware. The hackers send phishing emails and lots of people fall for such scams clicking on the suspicious links, downloading pdf documents or images. When they click on the link or download the documents, the ransomware, Trojan and other high-risk malware will get downloaded and installed quickly. Once the Trojan is already installed, it will cause another threat, and hence it will create a chain infection. Programs such as untrusty download sources will distribute ransomware and by using software ‘cracking’ tools, people often risk having malicious programs installed. Below image is a summary of the Sodinoibi ransomware.
|Threat Type||Ransomware, Crypto Virus, Files Locker|
|Ransom Demanding Message||Text file, desktop wallpaper, website|
|Detection Name||Avast (Win32:Malware-gen), BitDefender (Trojan.GenericKD.31927370), ESET-NOD32 (a variant of Win32/GenKryptik.DGSJ), and for more click here.|
|Symptoms||Cannot open files stored on your computer and previous files will have a different extension (eg. my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (in Bitcoins) to decrypt the files.|
|Distribution methods||Infected email attachments ( macros), torrent websites, malicious ads.|
|Damage||Password-stealing trojans and malware infections can be installed together with a ransomware infection.|
|Malware Removal||For macs – Download Combo Cleaner|
What are some preventive measures to protect from the ransomware?
There are many ways to prevent our computer from the ransomware attacks by relying and using official and trustworthy websites when downloading software. It is very important to avoid using free software as it is illegal and it often causes computer infections. Cybersecurity awareness is very important for all people. People should avoid emails or messages received from suspicious addresses. To automatically eliminate the Sodikinobi ransomware for macOS users, download and run a san with Combo Cleaner Antivirus for macOS. For window users, it is highly recommended to start your computer with Safe Mode with Networking from Windows Advanced Option menu during the computer start process. The other way to protect your Windows operating system is to by going to Startup Setting and selecting option number (5) Enable Safe Mode with Networking. On the other hand, Oracle has already released a patch to fix the vulnerabilities, download and install the patch immediately. In addition, it is always the best option to maintain regular backups and restore files using a backup before the ransomware attack. In case if some victims need help to restore their data, there are two companies Emisoft and Coveware. In order to receive help victims should contact LIFARS.