Severity scale:  

Remove Sodin ransomware (Decryption Methods Included) - Free Guide

removal by Jake Doevan - - | Type: Ransomware

Sodin ransomware is the version of a cryptovirus that supposedly is linked with GandCrab creators

Sodin ransomware virus 

Sodin ransomware is the cryptovirus that encrypts files found on the machine and marks them with .mc9530 marker, so it can also be called .mc9530 virus. However, this is the version of Sodinokibi ransomware that is supposedly related to GandCrab because it was made available on the dark web forums and serves as ransomware-as-a-service.[1] 

This ransomware comes to the system by exploiting Windows vulnerabilities like CVE-2018-8453[2] and then Sodin ransomware virus aims to change the default file extension to a .mc9530 appendix and make data useless this way. The purpose of this encryption is to have a reason for a ransom demand that can go up to thousands of dollars in the form of cryptocurrency like Bitcoin. The main area that this virus target is Asia, Taiwan, Hong Kong, and South Korea in particular, but there is a risk to get affected by this cryptovirus for anyone in the world. This is a dangerous threat that can lead to permanent data damage or even money loss because the lowest amount of ransom demand is $2500 in Bitcoin.

Name Sodin
Type Ransomware
Family Sodinokibi ransomware
File marker .mc9530
Distribution Exploiting system vulnerabilities, infected spam email attachments
Ransom note mc9530-readme.txt
Ransom amount May differ from $2000 to $5000 in Bitcoin
Elimination Get a reliable anti-malware tool and remove Sodin ransomware. Clean virus damage with Reimage

Sodin ransomware infects the system and extorts money from the victim that wants to have files working normally again. The encryption process changes the original code of data in various formats. Photos, documents, videos, audio files, PDFs, and even archives get affected by this virus. The only type of data that ransomware is not encrypting is system files.

However, Sodin ransomware affects various system files and general settings of the machine to make needed changes and ensure the persistence of this malware. Malicious files or programs get installed on the machine to run processes of blocking the antivirus tools and security tools or features. 

Also, Sodin ransomware can delete Shadow Volume Copies to keep the user from recovering the encrypted files and create new or alter existing registry keys to make the malware run every time your computer gets rebooted. You need a thorough system check to end those additional processes and terminate the ransomware entirely.

Nevertheless, all those changes happen after the primary Sodin ransomware attack – file encryption. The virus may start with a system check to make sure that the machine was not encrypted before. Then files get selected and encrypted immediately. Once that is done, the mc9530-readme.txt file appears on the desktop and in every folder containing the encoded data.

Sodin ransomware ransom message reads the following:

—=== Welcome. Again. ===— a
[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you
computer has expansion] mc953@.
By the way, everything is possible to recover (restore), but you need to follow our
instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting
benefits. If we do not do our work and liabilities – nobody will not cooperate with us.
Its not in our interests.
To check the ability of returning files, You should go to our website. There you can
decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will
lose your time and data, cause just we have the private key. In practise – time is much
more valuable than money.
[+] How to get access on website? [+] You have two ways:
1) [Recommended] Using a TOR browser!

a) Download and install TOR browser from this site:

b) Open our website:
http: //aplebzu4/wgazapdqks6vrcv6zcnjppkbxbr6éwket f56nf6aq2nmyoyd. onion/6750647830BDB096
2) If TOR blocked in your country, try to use VPN! But you can use our secondary
website. For this:

a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)

b) Open our secondary website: http://decryptor. top/6750647830BDBO96
Warning: secondary website can be blocked, thats why first variant much better and more
When you open our website, put the following data in the input form:

Sodin ransomware developers shouldn't be trusted, so avoid contacting them, especially for the file recovery. This is a false promise that can lead to a more damaged device than encrypted files in the first place. Remember that these people are cybercriminals and experts[3] note now malicious these extortionists are.

Sodin ransomware
Sodin ransomware is the threat that uses exploit kits to get on the targeted system and encrypt files, so the ransom as big as $5000 can get demanded.

We know how important these files that got encrypted are for you but focus on Sodin ransomware removal first, before worrying about data recovery. If you try to restore files with backups, you can damage your data permanently when ransomware encrypts files on the external device through the still affected system.

Get the anti-malware tool and scan the machine thoroughly. Then remove Sodin ransomware once it gets detected by the program and indicated as malicious alongside other applications or files. A thorough check on the computer should show various issues besides the malicious programs, so after the virus elimination, your machine runs better.

For additional check and insurance, we recommend rechecking the machine with a tool like Reimage that can delete Sodin ransomware virus damage and fix corrupted Windows files, for example. For data recovery, later on, we have a few suggestions below the article.

Sodin ransomware can be related to GandCrab developers, and even cybersecurity researchers expect a rise in attacks from this threat, so beware and clean the machine as soon possible, keep the system virus-free to avoid damage or other malware. Kaspersky officials even stated:

We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in its development definitely expect it to pay off handsomely.

.mc9530 virus
Sodin cryptovirus is linked with GandCrab creators and Sodinokibi ransomware because it displays a similar message and redirects to Tor Browser for the payment.

Vulnerable servers and other system flaws get exploited by the virus to get on the computer

The most common method or ransomware distribution is file attachments containing various malicious files like PDFs, documents or links to a direct download of the payload. Such emails come to email boxes and trick people into the opening and downloading the attachment by showing legitimate names of companies and services like DHL, FedEx.

This ransomware, in particular, is not that common when it comes to the distribution of this threat because the common method is to require interaction with a malicious file to open the document attached to the email, so malicious macros get triggered and launch the cryptovirus script. In this case, the executable file that is downloaded to launch the ransomware comes when the virus exploits system or server flaws.

Check the system and remove Sodin ransomware files from the system with anti-malware tools

To avoid falling victim to Sodin ransomware virus, you should ensure that your software is patched and updated regularly and the Windows operating system flaws cannot get exploited. You can do so by updating all the programs yourself or keeping system tools which help to optimize the machine automatically.

Another automatic process that we recommend relying on is the initial Sodin ransomware removal. You should get the professional anti-malware program and scan the system entirely to eliminate all the associated files, applications, and disable suspicious processes.

Programs like [d1[, SpyHunter 5Combo Cleaner, or Malwarebytes can remove Sodin ransomware completely, clean virus damage and indicate all the corrupted files, useless programs or data that may be malicious. Running an occasional system scan with such programs can improve the performance of your PC significantly.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Sodin virus, follow these steps:

Remove Sodin using Safe Mode with Networking

You should restart your machine and get to Safe Mode with Networking before eliminating Sodin ransomware. This way you can be sure that AV tool that you use works as supposed to

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sodin

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sodin removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sodin using System Restore

System Restore is a method to fight Sodin ransomware virus because this feature allows recovering the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sodin. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Sodin removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sodin from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Sodin, you can use several methods to restore them:

When you need to recover files affected by Sodin ransomware, Data Recovery Pro can help

Try Data Recovery Pro for accidentally deleted files or data that got encrypted in the ransomware attack

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sodin ransomware;
  • Restore them.

Windows Previous Versions as an alternate method for restoring encrypted files

When System Restore gets enabled, Windows Previous Versions can be used in data recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer as a feature helpful after Sodin ransomware attack

When threats like Sodin ransomware leave Shadow Volume Copies untouched, you can Rely on ShadowExplorer for file recovery purposes

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not possible

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sodin and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Your opinion regarding Sodin ransomware