The End of Sodinokibi: the Infamous Ransomware Goes Down

Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dollars, hitting prominent targets such as Apple, Acer, Donald Trump’s lawyers, and most recently, HX5, a US defense company.

It took a law enforcement operation coordinated between 17 countries to bring it down. Through the joint efforts of the FBI, INTERPOL, and Europol, crucial C2 servers were shut down, countless backups of the ransomware scuffed, millions of extortion payments seized, and the gang’s infrastructure totally destroyed.

But let’s track back a few steps and see how the story unfolded.

A quick Sodinokibi Ransomware review

Like all ransomware, Sodinokibi (also known as REvil or Sodin) encrypted files on infected hosts and displayed a ransom note, directing the victims to make a cryptocurrency payment in exchange for corrupted data. Delaying the payment increased the cost. 

Sodinokibi, though, was somewhat unique because of its Ransomware-as-a-Service model (RaaS): the core developers, the ones controlling the source code, ‘rented out’ the program to lower-level criminals called affiliates, who actually performed attacks. 

Affiliates agreed to share 40% of profits with the core gang to access the ransomware itself and tech support. Funny enough, many of them were also cheated because of a backdoor left in several versions of REvil. 

The ransomware is believed to have originated in the former Soviet Union, and like many families from that region, REvil did not target companies in the former Soviet-bloc. The researchers also found many similarities with the DarkSide ransomware in its source code and ransom note composition. This may indicate that the two crews are connected in some way or that both strains were operated by the same crew.

Analysts note that Sodinokibi’s code was skilfully written: this malware was characterized by rapid execution and encryption, leaving little chance for victims to respond to attacks.

The distribution channels of Sodinokibi were as varied as its affiliates: spam phishing, spear phishing, and APTs. 

But it was the targeted attacks and excessively large demands that first drew attention to this ransomware.

High-profile Sodinokibi hacks

Sodinokibi activity began shortly after GandCrab disappeared from the wild. The attackers wasted no time in staging a series of major hacks that occurred in quick succession:

May 2020. The group behind Sodikokibi hacks Grubman Shire Meiselas & Sacks, a law firm representing Donald Trump. They demand $42 million in ransom before bragging about it in a press interview and, allegedly, selling the data.

March 2021. The ransomware breaches Acer, encrypts an undisclosed amount of files, and the gang puts out a $50 million request which grows to $100 million if not paid in time.

May 2021. An attack hits JBS S.A., the largest meat processor in the world, its plants in the US are all shutdown, and the company pays $11 million.

July 2021. The breach of Kaseya cripples hundreds of managed service providers. One store chain in Sweden temporarily closes 800 locations. The extortion amount starts at $70 million. 

July 2021. A US-based weapon developer HX5 gets breached, and the gang steals and leaks sensitive documents.

Besides all of that, Sodinokibi was used in countless smaller attacks and wide-hitting phishing campaigns carried out by less prominent affiliates. All and all, the whole operation has generated around $200 million, 10% of what the REvil gang had publicly declared they would steal. 

The downfall of Sodinokibi

In the end, the sheer audacity of these hacks attracted the closest attention of law enforcement. During Operation GoldDust, 17 countries coordinated their efforts to find and capture the criminals behind Sodinokibi. They arrested 7 suspects responsible for 5,000 attacks.

In fall of 2021, C2 locations associated with REvil began to go dark after the US found out the whereabouts of several gang members. In October 2201, Yaroslav Vasinskyi — one of the most active Sodinokibi affiliates  — was arrested in Poland while trying to flee, and extradited to the US. He is responsible for the Kaseya hack, and many more, and faces up to 115 years in prison if found guilty on all counts.

That same month, the FBI, the Secret Service, and several other law enforcement agencies launched a wave of counter-hacks that breached Sodinokibi servers right back and destroyed the remaining infrastructure. From that moment on, REvil members were practically paralyzed. 

Finally, in January 2022, multiple Sodinokibi members were arrested and the gang had “ceased to exist.’’

Recognizing REvil ransomware with ANY.RUN

Ransomware attacks, in general, are extremely hard to mitigate — once the malware is downloaded, it executes quickly and locks you out or encrypts your files. Unless a public decryptor is available for that exact strain and version — which it usually isn’t —  there is nothing you can do. Sometimes, even backups get corrupted as the program propagates laterally and roots itself deep in your network.

So the strategy is to avoid getting infected in the first place.

And one great way to do that is with ANY.RUN online malware sandbox. It uses Suricata rulesets to identify malicious programs — even those that successfully evade detection by various AV software. The service can scan both files and links for signs of malicious activity. And analysis results are available in less than 2 minutes, with MITRE ATT&CK and IOC indicators displayed on a visual process graph.

For a while, Sodinokibi could be detected using the changes it made in the registry. It wrote keys such as HKEY_CURRENT_USER\SOFTWARE\RECFG with the name PK_KEY and others. Also, it created a ransom note with a consistent copy.

Interestingly, malware authors created a Sodinokibi sample with a polished website available at the domain decryptor[.]top, where victims could decrypt three images for free. A trial of sorts. Also, the website provided a countdown (“after the time runs out, the ransom amount will be set to 5 000 dollars”), payment instructions in bitcoins, as well as information about the decryption process. If decryptor[.[top wasn’t available, the victims could visit its [.]onion clone through the Tor web browser.

Conclusion

This story teaches us 3 things: 

1. We can say good riddance to one of the most prominent players in the ransomware arena. 
2. Law enforcement must learn how to come up with better codenames than GoldDust. 
3. None of that work would have been needed if all those companies used ANY.RUN malware sandbox which detects REvil just fine.

Jokes aside, taking down Sodinokibi was a huge win in the war against ransomware. It was an enormous effort requiring unprecedented coordination between countries, and it paid off, this time at least. But squashing cyberthreats is a bit like playing Whac-A-Mole: bop one on the head, and another is already poking out somewhere else.

The dismantlement of REvil left a void in the market, which other, more low-key ransomware crews are already filling in — like Donut, which is definitely worth keeping an eye on.

If you want to read more stories like this, check out our recount of the rise and fall of Emotet, the omnipresent trojan of 2019 and 2020. Or read about the history of MyDoom, the most damaging computer worm of its time that — excuse the terrible pun — doomed countless computers in the aughts.

And, as always, stay vigilant online and check your files with ANY.RUN. 

Questions and answers (Q&A) 

• What is Sodinokibi?

Sodinokibi is ransomware — a type of computer virus that works by encrypting files on infected systems and giving an option to restore them, if a payment is made.

• Who is behind Sodinokibi?

Sodinokibi was developed by a crew of russian speaking hackers, known as the REvil gang. Many believe that they are the same people who previously ran — or were a part of — the infamous GandCrab group.

• How to remove Sodinokibi ransomware?

Removal of any ransomware, including Sodinokibi, is a difficult process. You must first identify  the infected components, then isolate and either delete them, or replace them from a trusted backup.