Severity scale:  
  (92/100)

Sodinokibi ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Sodinokibi ransomware is the cryptovirus that gets installed on targeted machines by exploiting system vulnerability

Sodinokibi ransomware
Sodinokibi ransomware virus is the threat that comes to the system via security vulnerabilities and encrypts photos, videos or documents.

Sodinokibi ransomware is the file-locking virus that encrypts data and demands ransom from victims to recover data marked with random character extensions.[1] The ransom amount may differ from $2000 to even $5000 per victim depending on how fast you pay up. The particular amount gets displayed on the browser window when the victim follows instructions listed on the ransom note named in patterns: file-marker-HOW-TO-DECRYPT.txt or file-marker-readme.txt. There is no specific relation to any known malware family, so it makes the threat new and particularly dangerous since various vulnerabilities get used for spreading the cryptovirus besides the standard spreading method.[2]

Since Sodinokibi ransomware virus is the money-oriented threat, the primary purpose of such a product is to extort money from victims for their locked files. Additionally, attackers also spread 5.2 version of GandCrab on infected servers and earn even more payments this way.[3]

Name Sodinokibi ransomware
Type Cryptovirus
Distribution Exploit kits, vulnerabilities, spam email attachments
Symptoms Encrypts files on the system and demands ransom in the text file or ransom note delivered as a wallpaper
File marker Random characters including letters and numbers
Ransom note file-marker-HOW-TO-DECRYPT.txt
Ransom amount $2000-$5000
Also spreads GandCrab 5.2
Elimination Get Reimage and remove Sodinokibi ransomware

Sodinokibi ransomware virus gets installed when the hacker exploits CVE-2019-2725. However, this is not the end of the attack because GandCrab 5.2 also gets distributed on the same infected system. Cybercriminals attempt to make more profit from their victims this way. 

It is known that besides the main encryption process, Sodinokibi ransomware deletes Shadow Volume Copies, which makes the later recovery of encoded data even more difficult. Besides that, virus disables Windows startup repair function and can alter the registry entries or even security features.

Then file encryption starts and Sodinokibi ransomware marks encoded files with a random file extension that is unique for every victim, as the ransom amount which differs from the amount and value of the locked data. The message stating about further actions gets delivered in the text file also named using the extension and HOW-TO-DECRYPT.txt pattern. 

Sodinokibi ransomware message delivers the following:

Hello dear friend!

Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process.
All encrypted files have got * extension.

Instructions into the TOR network
-----------------------------
Install TOR browser from https://torproject.org/
Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/[id]

Instructions into WWW (The following link can not be in work state, if true, use TOR above):
-----------------------------
Visit the following link: http://decryptor.top/[id]

Page will ask you for the key, here it is:
***

Once the victim follows the suggested instructions to access the website provided by Sodinokibi ransomware developers, the page asks to enter the unique victims' ID and provided key. Then, the ransomware page displays particular ransom amount and address to create the Bitcoin wallet needed for the payment transfer. 

Criminals behind Sodinokibi ransomware gives 48 or 72 hours for this payment for the alleged decryption tool. It differs from victim to victim as the amount of ransom that can come to $5000 or more if you pay after the given time ends.

Also, criminals can say that your machine is at risk or your data may get damaged. However, paying the ransom can definitely lead to permanent data damage or money loss when extortionists disappear without providing the tool for decryption.

Sodinokibi ransomware removal should be performed as soon as possible because it affects the system significantly besides the fact that it installs another cryptovirus or different malware programs later on. Fortunately, antivirus engines can detect this threat and remove it altogether. Since AV engine databases differ from program to program there are many different detection names:

  • Trojan.GenericKD.31927370;
  • HEUR/AGEN.1041110;
  • Ransom.Sodinokibi;
  • Win32.Trojan.Raas.Auto;
  • etc.[4]

You must remove Sodinokibi ransomware from the machine with professional anti-malware tools because manual cryptovirus termination is not advisable since there are too many changes this virus can make on the computer. Since this is the threat that mostly affects Windows devices, use Reimage for the system repair and cleaning functions.

Server vulnerability used to install the ransomware

Attackers use the WebLogic vulnerability to deliver this ransomware. Unauthorized access and exploitation of such flaws occur when the patching is not performed in time. That should be done as soon as possible by the servers' administrator. 

This particular vulnerability was recently discovered and reported as the Oracle WebLogic Server that allows criminals to gain access to the targeted server and install malware on the machine. It got already used to spread bots, trojans and other malware or even launch further attacks.

Other common crypto malware distribution techniques can be used to spread this intruder. That includes spam email messages with attached files, infected documents, and hyperlinks leading to direct download of the malicious script or malware payload.

Such infiltration can be avoided by deleting emails from suspicious senders or eliminating file attachments instead of immediately downloading them and opening on the machine. If you get asked to enable content or trigger macros, be aware that the document is infected and once you do so the PC gets malware loaded on the system automatically. 

Get rid of the Sodinokibi ransomware or patch the vulnerability ASAP to avoid infiltration

Sodinokibi ransomware virus is distributed using the recently discovered vulnerability. However, the patch for this flaw was also released, so use it to secure the server and avoid infiltration of this threat and possible infiltration of other malware that may exploit the vulnerability.[5]

However, you got here because you need tips on Sodinokibi ransomware removal already. For that, we recommend getting a reputable anti-malware program and scanning the machine entirely. This way all additional files or programs get indicated and deleted.

You need to remove Sodinokibi ransomware before any other processes because when the system gets cleaned, you can use other tools or software to recover files. Employ Reimage, Malwarebytes MalwarebytesCombo Cleaner, or Plumbytes Anti-MalwareMalwarebytes Malwarebytes and then restore files with your file backups or using the software designed to restore data. 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Sodinokibi virus, follow these steps:

Remove Sodinokibi using Safe Mode with Networking

Reboot the machine in Safe Mode with Networking, so that Sodinokibi ransomware can get properly removed

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sodinokibi

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sodinokibi removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sodinokibi using System Restore

Use System restore to ensure that the device is recovered in the previous state when Sodinokibi ransomware was not on the PC

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sodinokibi. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Sodinokibi removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sodinokibi from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Sodinokibi, you can use several methods to restore them:

Data Recovery Pro is the alternative to file backups

If you need a solution for encrypted files or accidentally deleted data, try Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sodinokibi ransomware;
  • Restore them.

Windows Previous Versions feature allows to restore files after Sodinokibi ransomware attack

When System Restore gets enabled, you can employ Windows Previous Versions for the process of file recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – a method for file recovery

When ransomware is not affecting Shadow Volume Copies, ShadowExplorer can be used to restore encrypted data

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool for this threat is not developed yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sodinokibi and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References


Your opinion regarding Sodinokibi ransomware