Sodinokibi Ransomware

Sodinokibi Ransomware is an infection that is fully prepped to encrypt your personal files. Although this infection does not corrupt files outside very specific directories – which we talk about further in the report – it certainly can do great damage if personal files are stored in these directories. Once files are encrypted, the data is changed, and the files become unreadable. The attackers do this so that they could push victims into paying money for a decryptor. Unfortunately, it is unlikely that anything good would happen if the ransom was paid. The attackers behind ransomware are never interested in helping victims recover their files. Instead, they are only interested in the money, and if they manage to terrorize victims into giving it away, they are likely to disappear. Due to this reason, if your files were encrypted, we suggest that you do not waste money and time commutating with the attackers. Instead, dedicate this time to figure out how to remove Sodinokibi Ransomware.

Also known as REvil Ransomware, the malicious Sodinokibi Ransomware is likely to exploit the known Oracle's weblogic vulnerability (CVE-2019-2725) and RDP security flaws to slither in. The entrance of this malware is silent, and, therefore, some victims might be unable to tell how and when the ransomware got in. This could make it impossible to delete Sodinokibi Ransomware manually. If the malicious executable is not removed immediately, it should start encrypting files immediately. According to our research team, the infection only encrypted files in the %USERPROFILE% (Desktop, Downloads, and Favorites folders) and %HOMEDRIVE% (except for .SYS and .BAT files) directories. Once they were encrypted, a unique extension consisting of 6-10 characters was added to their original names. While it is easy to remove this extension, this action is unnecessary because it will not help you restore the files. You will not be able to restore files from internal backup either because the ransomware can delete shadow volume copies. Hopefully, you have backups stored online or on external drives.

After encryption, the [unique name]-readme.txt file is created by Sodinokibi Ransomware. If you open this file, you will find a text message suggesting that files can only be restored using a private key. To get it, according to the ransom note, you need to download the Tor Browser, follow the provided link, and then follow the presented instructions. What are these additional instructions? Well, since the attackers want money, you can guess that a ransom payment is involved. The original message warns that trusting third-party software to restore files is a terrible idea. If free and reliable decryptors existed, we would suggest using them despite the warning, but, unfortunately, such tools did not exist at the time of research. If you decide to rely on third-party solutions, make sure you research them thoroughly because the last thing you need is to let in more infections. Sodinokibi Ransomware is a handful already, and you certainly do not need the removal of other dangerous threats hanging over your head.

If you can go to the exact location of the launcher of Sodinokibi Ransomware, removing this malware should be very easy. All you really have to do is eliminate the .exe file and then the ransom note file. The thing is that after the threat is gone, your files will remain encrypted. Do not let the attackers push you into paying the ransom because that is likely to get you nowhere. Instead, delete Sodinokibi Ransomware, count your loses, and learn from your mistakes. One of the biggest mistakes, of course, is not ensuring Windows security. You can fix that right away by implementing a reliable anti-malware program that will also remove existing infections. You must also not forget to backup your personal files, but instead of using internal Windows backup, employ virtual clouds or external drives. Also, learn about the most common methods of malware distribution that the attackers are using. The more information you have, the more likely you will be able to defend yourself against attackers and malware.

Sodinokibi Ransomware Removal

1. Find and Delete the .exe file that launched the infection.
2. Find and Delete the ransom note file, [random]-readme.txt.
3. Empty Recycle Bin and then quickly install a reliable malware scanner.
4. Run a thorough system scan and delete any leftover malware.