Under Attack? Contact Us Start a Free Demo

Are you prepared for the REvil/Sodinokibi Ransomware attack? Learn how to protect your organization now!

Sodinokibi, also known as REvil, is a ransomware strain that has become one of the most prominent threats in the cyber landscape since its emergence in April 2019. Sodinokibi ransomware is a malicious software that infects a victim’s computer or server and encrypts all its files, making them inaccessible to the user. The victim is then presented with a ransom note demanding payment in exchange for the decryption key that will unlock their files. This ransomware has been responsible for numerous high-profile attacks against various industries, including healthcare, education, and government agencies. This article will delve into the technical aspects of Sodinokibi, its attack vectors, and the impact it has had on organizations worldwide.

Technical Overview:

Sodinokibi ransomware is written in C++ and uses the RSA and AES encryption algorithms to encrypt the victim’s files. RSA is used to encrypt the AES key, and the AES algorithm is used to encrypt the actual data. The encryption keys are generated on the victim’s computer, and the public key is sent to the attacker’s server, where the private key is stored. The malware then proceeds to delete all backups and shadow copies to ensure that the victim cannot recover their files without paying the ransom.

Sodinokibi also has anti-analysis and anti-debugging techniques built into its code to make it more difficult for security researchers to analyze the malware. The ransomware employs a technique called “Process Hollowing,” where it launches a legitimate process in a suspended state, replaces its code with the ransomware’s code, and resumes the process, making it more difficult to detect. Additionally, the malware uses code obfuscation techniques, making it harder for antivirus software to detect its malicious behavior.

Attack Vectors:

Sodinokibi ransomware has been known to use several attack vectors to gain access to victim’s systems. One of the most common methods is through phishing emails that contain malicious attachments or links. These emails are crafted to appear legitimate, often mimicking well-known companies or government agencies. Once the victim clicks on the attachment or link, the malware is downloaded onto their system.

Another method used by Sodinokibi is to exploit vulnerabilities in software or operating systems. This is often accomplished by using publicly available exploit kits or by purchasing zero-day exploits from underground markets. Once the malware gains access to the victim’s system, it spreads laterally, infecting other systems on the network.

Sodinokibi ransomware has also been known to use Remote Desktop Protocol (RDP) brute-force attacks to gain access to systems. In these attacks, the attacker attempts to guess the username and password for RDP access to the victim’s system. Once they have gained access, they can install the malware and begin the encryption process.

Impact on Organizations:

Sodinokibi ransomware has had a significant impact on organizations worldwide. The ransomware has been responsible for numerous high-profile attacks, including the attack on the Colonial Pipeline in May 2021, which caused widespread fuel shortages in the United States. The attackers demanded a ransom of $4.4 million, which was alledgedly paid by Colonial Pipeline to obtain the decryption key.

The healthcare industry has also been heavily targeted by Sodinokibi ransomware. In November 2019, a Finnish psychotherapy center was hit by an attack, which resulted in the theft of patient records. The attackers demanded a ransom of $450,000, which the center refused to pay. As a result, the attackers released the stolen data on the dark web, compromising the privacy of thousands of patients.

The education sector has also been targeted by Sodinokibi ransomware. In March 2021, the Broward County Public Schools in Florida, one of the largest school districts in the United States, was hit by a ransomware attack that affected over 260,000 students and employees. The district was forced to shut down its computer systems, causing significant disruptions to the teaching and learning process.

Sodinokibi ransomware has also targeted government agencies, including the New Mexico Department of Health, which was hit by an attack in January 2021. The attack resulted in the shutdown of the department’s systems, causing delays in COVID-19 vaccine distribution. In March 2021, Acer organization became a victim of a REvil ransomware attack. The threat actors demanded a $50,000,000 ransom.

The impact of Sodinokibi ransomware attacks goes beyond the initial cost of paying the ransom. Victims also suffer reputational damage and loss of customer trust, which can be difficult to recover from. Additionally, the cost of restoring systems and data can be significant, and some organizations may never fully recover.

How to Protect Your Organization From Revil/Sodinokibi ransomware

ThreatResponder® Platform is an all-in-one cloud-native endpoint threat detectionpreventionresponseanalyticsintelligenceinvestigation, and hunting product. Once lightweight agents (“Rovers”) are deployed, you gain situational awareness and immediate threat visibility into hundreds and thousands of endpoints, respond to nation-state and insider threats, and neutralize cyber attacks quickly. ThreatResponder® allows investigators to conduct incident response and computer forensics investigation on a remote endpoint. In addition to these features, ThreatResponder also provides advanced analytics capabilities that help organizations quickly identify and respond to potential threats. The solution is designed to be easy to use, allowing organizations to quickly implement and start using it to prevent cyber attacks.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Indicators of Compromise:
  • 04ae146176632509ab5239d0ec8f2447d7223090
  • 10682d08a18715a79ee23b58fdb6ee44c4e28c61
  • 169abe89f4eab84275c88890460a655d647e5966
  • 20d90f04dcc07e1faa09aa1550f343c9472f7ec6
  • 2a75db73888c77e48b77b72d3efb33ab53ccb754
  • 58d835c3d204d012ee5a4e3c05a06e60b4 316d0e
  • Ce0c8814d7630f8636ffd73f8408a36dc0e1ca4d