Intel471-Logo-white.png

Sodinokibi

Apr 16, 2021

OVERVIEW

Sodinokibi (aka Sodin, REvil) is a prolific ransomware which came to widespread attention in April 2019. Sodinokibi is a ransomware that is distributed as a Ransomware-as-a-Service. There is significant speculation that the operators of Sodinokibi are the same as those behind GandCrab.

The actors behind Sodinokibi have previously used the threat of information disclosure to attempt to coerce payment. Information is disclosed on their TOR site, the Happy Blog.

TARGETING

As Sodin ransomware is commercially available as Ransomware-as-a-Service (RaaS) targeting will depend upon the actors using it.

DELIVERY

Sodinokibi has been observed being delivered using the following methods:

  • Malicious Spam (malspam) - this is extremely widely distributed spam with malicious links or attachments. These messages often feature un-targeted, highly generalized lure content. Malspam is often generated by various botnets or other malware infections as a means of further propagating itself.
  • Raw Exploits - this method of delivery includes the exploitation of specific vulnerabilities, but not included in an overall exploit kit, in order to deliver the malware onto a system. Sodin ransomware has been known to attempt to exploit CVE-2019-2725.
  • Exploit Kit - this method of delivery involves the use of an exploit kit, a tool designed to be remotely hosted (often on compromised ad servers) that then serve up malicious code to all users that navigate to the site and which attempts to exploit specific applications on a system. Sodin ransomware has been observed using the RIG Exploit Kit (RIG EK, RIGEK).

SODINOKIBI INSTALLATION

The Sodin ransomware, before completing its actions on objectives uses GetKetboardLayoutList to determine the current language of the keyboard. The ransomware will not execute if the value is between \x18 and \x44 (inclusive).

Therefore if Sodinokibi detects any of these keyboard layouts, it will cease operation.

The ransomware contains a configuration file that it encrypted within the main binary. Once it decrypts the binary, Sodin ransomware has been observed attempting to exploit CVE-2018-8453.

SODINOKIBI PERSISTENCE

The ransomware achieves persistence through a key in

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SODINOKIBI COMMUNICATION

Sodinokibi does not require immediate access to a command and control (C2) node in order to proceed. This allows the malware to operate with no Internet connectivity, which is rare for ransomware.

Get the Free Hunt Packages!

Check Out Other Emerging Threats >

Related Articles

Intel 471 Logo 2024.png
Emerging Threats//

CrazyHunter Ransomware

CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.

Intel 471 Logo 2024.png
Emerging Threats//

DevMan Ransomware

DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family.

Intel 471 Logo 2024.png
Emerging Threats//

Gootloader Malware Update

Gootloader resurfaced with enhanced capabilities, building on the multi-stage loader malware first seen in 2020.