Industry News

What is the Sodinokibi Ransomware?

What is the Sodinokibi Ransomware - stylised cybersecurity image

What is the Sodinokibi ransomware? And why should your IT security team be worried about it?

The Sodinokibi ransomware is one of the latest “innovations” of the hacker world. It has been troubling organisations across the globe for over a year, causing direct financial losses in the millions, let alone the damage to reputations.

Additionally, ransomware as a whole became a bigger concern for businesses due to the accelerated digitisation caused by the COVID-19 pandemic. Ransomware attacks increased by 20% during the early pandemic months, making malware like Sodinokibi an even bigger concern.

What is the Sodinokibi Ransomware?

As ransomware, Sodinokibi (also known as Sodin or REvil) is designed to encrypt important files on your computer, blocking off your access to them. Then, the malware demands that you pay a ransom to recover access to the compromised files.

Sodinokibi is based on the RaaS model, short for Ransomware-as-a-Service. Two groups operate within the RaaS model – the ransomware authors and affiliates who distribute the ransomware.

Such an approach implies a number of benefits for both parties. On one hand, ransomware authors face a lower risk of prosecution because they aren’t actually the ones infecting computers and networks. On the other, affiliates get the opportunity to make money without having to write ransomware code.

Sodinokibi may infiltrate your network through the following channels:

  • Brute-force attacks.
  • Exploitation of weaknesses in VPNs (Virtual Private Networks) or RDPs (Remote Desktop Protocols).
  • Credit card or POS (Point of Sale) vulnerabilities.
  • Phishing, malicious advertising, or spam campaigns.

Affiliates are free to choose their approach, and the fact that they themselves aren’t engaged in development allows them to dedicate more time and effort to polishing their attack vector techniques and toolsets.

Who authored Sodinokibi?

Sodinokibi may have been authored by the same group that had been behind the now-defunct GandCrab gang.

GandCrab had operated for slightly over a year before its shutdown in May 2019. Despite its short existence, the GandCrab group was been quite impactful (in the negative sense, of course), claiming to have made 2 billion USD by extorting money from organisations.

Sodinokibi aka REvil made an appearance shortly after the shutdown of GandCrab. Within months of its emergence, McAfee determined that there is a 40% code overlap between GandCrab and Sodinokibi.

Aside from that, McAfee discovered that some GandCrab affiliates had quit their activity shortly before the malware’s shutdown. One of these affiliates – seemingly a highly successful one – switched to Sodinokibi, showing the possible link between the new and old ransomware.

It’s yet unknown where the authors of Sodinokibi and GandCrab are located. However, McAfee has found out that Sodinokibi – like GandCrab – does not infect systems containing Syrian and Arabic languages, as well as languages of post-Soviet states. This may hint at the location of Sodinokibi/GandCrab affiliates and authors.

What is the Threat of Sodinokibi?

The group behind Sodinokibi is one of the most prolific ransomware gangs in the world, mainly thanks to the affiliate model of operation. Sodinokibi is a serious threat and could be devastating to your business because of these three factors:

  • In addition to encrypting files and demanding ransom, the ransomware performs data exfiltration. The group may steal your data and demand a much larger ransom for not publishing it.
  • The ransomware has migrated from Windows to Linux in recent months. This is a major problem because many of the world’s servers run on Linux.
  • The group behind Sodinokibi promotes themselves as beng very successful, potentially attracting more and more affiliates. By extorting large businesses around the world, the Sodinokibi gang has managed to make 100 million USD in one year. The group also deposited 1 million USD in bitcoin on a Russian-speaking hacker forum to demonstrate its might.

Data exfiltration is a particularly serious threat in the finance, health, and legal sectors.

Organisations may rather easily recover encrypted files from their offline backups and wipe the infected systems to eliminate the malware. However, if the Sodinokibi gang actually has possession of your data, a leak could severely impact the reputation and competitiveness of your company.

Reportedly, this method is so effective that it makes more money than decryption ransoms. Due to this, service providers responsible for data security may become a more frequent target for hackers.

Who has been affected by Sodinokibi?

Sodinokibi has affected numerous enterprises around the world, including Travelex, CyrusOne, Albany International Airport, and Kenneth Cole.

However, the most famous case is associated with Grubman Shire Meiselas & Sacks (GSMS), a New York-based law firm. Among the clients of GSMS are companies like Facebook and celebrities such as Madonna, Lady Gaga, and Nicki Minaj.

The Sodinokibi group stole nearly a terabyte of data from GSMS and demanded 21 million USD for not publishing it. After GSMS offered to pay only 365,000 USD, the ransom was doubled to 42 million.

In addition to doubling the ransom demand, the Sodinokibi gang released a 2.4 GB archive containing Lady Gaga’s legal documents. The group also threatened to publish files related to U.S. President Donald Trump, although President Trump had never been a GSMS client.

Later, the gang unsuccessfully attempted to auction the files of Madonna and Singer Bruce Springsteen.

As of late December 2020, GSMS hadn’t paid the ransom, which actually is the right thing to do in such situations. The story doesn’t seem to be over, however.

What can you do if your IT System gets infected?

A comprehensive backup programme is the best protection against Sodinokibi. Ideally, you should create physically-separated copies of data that stretch back at least 2 weeks. Additionally, you should perform monthly offline backups, to limit the amount of data lost in the event that your network is compromised.

Sodinokibi can encrypt local backups, which is why you should store your data in several locations.

If your network does get attacked, your best course of action would be to isolate the ransomware and wipe affected devices. Don’t attempt to restore infected data – the ransomware may encrypt it even further. Do not pay the ransom either – there is no guarantee that you will get your access back and that the data won’t be published.

Prevention is the best cure for the Sodinokibi ransomware. Layered security solutions with a series of components that back up each other tend to be the most effective. Anti-malware software can be very useful against the Sodinokibi ransomware as well.

Contact Computer One for more detailed information or to help you harden your organisational defences against Sodinokibi / REvil.


Our Address


1300 667 871 or +61 7 3220 0352

Brisbane Office

Level 5, 488 Queen Street, Brisbane, QLD 4000

Sydney Office

Level 21, 133 Castlereigh Street, Sydney, NSW 2000

Melbourne Office

Level 28, 303 Collins Street, Melbourne, VIC 3000

Our Services

Industry Expertise