Blue Hexagon Blog

Ransomware Families – REvil_Sodinokibi

Sodinokibi Ransomware was first identified in April of 2019, initially exploiting Oracle Weblogic, and most recently being seen in malicious documents containing VBA code.

Prior to encryption, the GetKeyboardLayoutList function is called, if a Russian keyboard is found on the host machine, the machine is not infected. Sodinokibi also searches through the file system for any file or directory with the name backup, and then deletes and overwrites the files to prevent recovery. 

Startup repair and shadow copies are then deleted and the machine is encrypted using a ransom extension. 

The ransom note is written to {extension}-HOW-TO-DECRYPT.txt, listing a website to connect to allow the decryption of the files, with the average ransom being $327,931.

If you are interested in learning about other Ransomware families that we have published research reports on you can read more here