Severity scale:  

Remove Sodinokibi ransomware (Free Guide) - updated Jul 2019

removal by Lucia Danes - - | Type: Ransomware

Sodinokibi is an extremely dangerous cryptovirus that spreads together with GandCrab

Sodinokibi ransomware
Sodinokibi ransomware virus is the threat that comes to the system via security vulnerabilities and encrypts photos, videos or documents.

Questions about Sodinokibi ransomware

Sodinokibi ransomware (REvil and Sodin are known as the recent versions) is the file-locking virus that encrypts data and demands ransom from victims to recover data marked with random character extensions.[1] The ransom amount may differ from $2000 to even $5000 per victim, depending on how fast you pay. The particular amount is displayed in the ransom note called file-marker-HOW-TO-DECRYPT.txt or file-marker-readme.txt. There have been numerous allegations from researchers claiming that Sodinokibi is hailing from the GandCrab developers – these both threats were found misusing Oracle WebLogic servers.[2][3]

Name Sodinokibi ransomware
Type Cryptovirus/ransomware/Trojan
Detection Trojan:Win32/Skeeyah.A!bit;; Ransom.Win32.Sodinokibi.A
Family Gandcrab 
Variants REvil, Sodin
Distribution Exploit kits, vulnerabilities, spam email attachments
Symptoms Encrypts files on the system and demands ransom in the text file or ransom note delivered as a wallpaper
File marker Random characters including letters and numbers
Ransom note file-marker-HOW-TO-DECRYPT.txt
Ransom amount $2000-$5000
Elimination Get Reimage Reimage Cleaner Intego and remove Sodinokibi ransomware

The newest Sodinokibi virus campaign was spotted at the end of May 2019, when fake foreclosure messages spread around Germany containing malicious macro -filled documents. Emails with subject lines “Announcement of foreclosure” (Ankündigung der Zwangsvollstreckung) work int he campaign because people are not thinking twice before opening such notification and the document attached to it.

Sodinokibi ransomware gets installed when the hacker exploits CVE-2019-2725. However, this is not the end of the attack because GandCrab 5.2 also gets distributed on the same infected system. Cybercriminals attempt to make more profit from their victims this way. 

It is known that besides the main encryption process, Sodinokibi ransomware deletes Shadow Volume Copies, which makes the later recovery of encoded data even more difficult. Besides that, virus disables Windows startup repair function and can alter the registry entries or even security features.

Then file encryption starts and Sodinokibi ransomware marks encoded files with a random file extension that is unique for every victim, as the ransom amount which differs from the amount and value of the locked data. The message stating about further actions gets delivered in the text file also named using the extension and HOW-TO-DECRYPT.txt pattern. 

Sodinokibi message delivers the following:

Hello dear friend!

Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process.
All encrypted files have got * extension.

Instructions into the TOR network
Install TOR browser from
Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/[id]

Instructions into WWW (The following link can not be in work state, if true, use TOR above):
Visit the following link:[id]

Page will ask you for the key, here it is:

Once the victim follows the suggested instructions to access the website provided by Sodinokibi ransomware developers, the page asks to enter the unique victims' ID and provided key. Then, the ransomware page displays particular ransom amount and address to create the Bitcoin wallet needed for the payment transfer. 

Sodinokibi ransomware virus
Sodinokibi ransomware is the cryptovirus that is distributed when the attacker exploits the zero-day vulnerability and later installs another ransomware.

Criminals behind Sodinokibi gives 48 or 72 hours for this payment for the alleged decryption tool. It differs from victim to victim as the amount of ransom that can come to $5000 or more if you pay after the given time ends.

Also, criminals can say that your machine is at risk or your data may get damaged. However, paying the ransom can definitely lead to permanent data damage or money loss when extortionists disappear without providing the tool for decryption.

According to the latest news updates, cybersecurity experts found out that fake email messages have been spreading Sodinokibi ransomware.[4] This virus spreads via email spam that includes malicious macros embedded into suspicious documents. If a victim clicks on such a component, he/she will experience file encryption slightly.

Also, another very important report about Sodinokibi ransomware, now also known as REvil, has been released worldwide. Experts claim to have found a new distribution technique that is used by this advanced malware. Hackers have been spreading the ransomware by using malvertising which leads to the RIG exploit package.[5]

Keep in mind that outdated apps make the system vulnerable to such exploits. So, you should always make sure that your programs and various tools are regularly updated, this also includes your Windows operating system. If you take these precautionary measures seriously, you might be able to avoid Sodinokibi ransomware successfully.

Sodinokibi ransomware removal should be performed as soon as possible because it affects the system significantly besides the fact that it installs another cryptovirus or different malware programs later on. Fortunately, antivirus engines can detect this threat and remove it altogether. Since AV engine databases differ from program to program there are many different detection names:

  • Trojan.GenericKD.31927370;
  • HEUR/AGEN.1041110;
  • Ransom.Sodinokibi;
  • Win32.Trojan.Raas.Auto;
  • etc.[6]

You must remove Sodinokibi ransomware from the machine with professional anti-malware tools because manual cryptovirus termination is not advisable since there are too many changes this virus can make on the computer. Since this is the threat that mostly affects Windows devices, use Reimage Reimage Cleaner Intego for the system repair and cleaning functions.

Sodinokibi ransomware May 2019 campaign targeting German victims

In May the newest information about the active distribution in Germany when virus developers spread malware via spam emails disguised as foreclosure notifications. These emails contain file attachments with malicious macros. Once the notification gets opened and the document opened, malicious macros get enabled and launch the needed process of delivering cryptovirus Sodinokibi ransomware.

Sodinokibi virus 

By using emails with the subject line – “Announcement of foreclosure” (Ankündigung der Zwangsvollstreckung) malicious actors trick people into opening the infected document on the device. The email contains a lengthy message about needed payments and fees. However, the tola sum should be delivered in the attached file.

Once Sodinokibi is downloaded and opened on the machine, people get asked to enable malicious macros and the attachment named Mahnbescheid – Antwortbogen – Aktenzeichen 4650969334.doc downloads the cryptovirus.

Automatically dropped on the machine, the virus gets launched and can compromise the data stored on the system. Cryptovirus can disable Windows startup repair feature, delete Shadow Volume Copies and most importantly – encrypt data stored on the machine. 

The initial email faking to be a foreclosure notification delivers the following(in German):

Ankündigung der Zwangsvollstreckung 
Sehr geehrte Damen und Herren, 
wir haben Sie bereits mehrfach aufgefordert, Ihr Beitragskonto auszugleichen. Zuletzt wurde ein Betrag von 161,00 EUR angemahnt. Trotz unserer nachdrücklichen Aufforderung haben Sie unsere Forderung bisher nicht ausgeglichen. Das Beitragskonto weist aktuell einen Gesamtrückstand von 213,50 EUR auf.

Der Gesamtrückstand errechnet sich aus den festgesetzten Beträgen der Gebührenbescheide und Mahnbeträgen. Eine Zusammenfassung des Gesamtrückstandes finden Sie im Anhang dieser E-Mail. 

Eine Zwangsvollstreckung können Sie nur abwenden, indem Sie den geforderten Betrag innerhalb von 5 Tagen einzahlen und uns eine Kopie des Zahlungsbelegs übermitteln. Oder Sie erteilen uns auf dem beigefügten Antwortbogen ein SEPA-Lastschriftmandat zum Einzug des Rückstands. Wir sind auch bereit, Ihnen eine Ratenzahlung zu gewähren. Teilen Sie uns in diesem Fall unverzüglich mit, welchen Ratenbetrag Sie monatlich zahlen werden. Den Antwortbogen finden Sie im Anhang dieser E-Mail. 

Nach Ablauf dieser Frist werden wir die Forderung dem zuständigen Vollstreckungsorgan zum Einzug übergeben und die Zwangsvollstreckung mit allem Nachdruck (Sach- und/oder Lohnpfändung) betreiben. 

Mit freundlichen Grüßen 

Ihr Beitragsservice von ARD, ZDF und Deutschlandradio

Known versions of Sodinokibi ransomware

REvil ransomware

REvil ransomware is one of the versions that uses Salsa 20 encryption algorithm and changes the original code of the files on the system to have a reason for $2500 ransom demands. It generates a random extension and marks those files with such appendix to show which data got encrypted. However, all these files also become unopenable and useless, so users mainly worry about their files when the cryptovirus like this gets on the machine. The initial money demand appears on the desktop wallpaper or in the text file, in most cases, named after the random file marker or HOW-TO-DECRYPT.txt. From there, you may be redirected to Tor or another browser that shows the ransom amount determined for you in particular and guides you through the payment. However, paying the ransom is not recommended. This threat spreads around by getting on the system through particular vulnerabilities on Windows devices (CVE-2019-2725, CVE-2018-8453), or using direct exploit kits.

Sodin ransomware

Sodin ransomware – version of the Sodinokibi that uses random file marker too, but more often it uses .mc9530 extension, so can sometimes be called like that. Since this is the same family, it also shows the ransom amount on the browser window when the payment suggestion appears. This particular version is demanding a ransom that starts a $2000 but can go up to $5000 in Bitcoin for the alleged file recovery. You shouldn't trust these people in any instance because cybercriminals are focusing on file encryption and money extortion. The more unique fact about this particular version of the threat is the specific region that ransomware targets. It was reported a few times that the Asia-Pacific region is mainly targeted, but researchers know about victims from Europe, North America, and Latin America too.

Sodin ransomware is the versions of this virus
Sodinokibi is known to have REvil and Sodin versions out in the wild already.

Server vulnerability used to install the ransomware

Attackers use the WebLogic vulnerability to deliver this ransomware. Unauthorized access and exploitation of such flaws occur when the patching is not performed in time. That should be done as soon as possible by the servers' administrator. 

This particular vulnerability was recently discovered and reported as the Oracle WebLogic Server that allows criminals to gain access to the targeted server and install malware on the machine. It got already used to spread bots, trojans and other malware or even launch further attacks.

Other common crypto malware distribution techniques can be used to spread this intruder. That includes spam email messages with attached files, infected documents, and hyperlinks leading to direct download of the malicious script or malware payload.

Such infiltration can be avoided by deleting emails from suspicious senders or eliminating file attachments instead of immediately downloading them and opening on the machine. If you get asked to enable content or trigger macros, be aware that the document is infected and once you do so the PC gets malware loaded on the system automatically. 

Get rid of the Sodinokibi ransomware or patch the vulnerability ASAP to avoid infiltration

Sodinokibi ransomware virus is distributed using the recently discovered vulnerability. However, the patch for this flaw was also released, so use it to secure the server and avoid infiltration of this threat and possible infiltration of other malware that may exploit the vulnerability.[7]

However, you got here because you need tips on Sodinokibi ransomware removal already. For that, we recommend getting a reputable anti-malware program and scanning the machine entirely. This way all additional files or programs get indicated and deleted.

You need to remove Sodinokibi ransomware before any other processes because when the system gets cleaned, you can use other tools or software to recover files. Employ Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes and then restore files with your file backups or using the software designed to restore data. 

Sodinokibi ransomware removal technique shown in visual elements

As you should already know, Sodinokibi ransomware is an advanced and difficult threat as it has been produced by GandCrab developers. We have provided a clearer view of the removal process of this malware to lengthen elimination tasks for you. Nevertheless, the simple but accurate video guide should suit especially those users who lack skills in the virus elimination field and have never dealt with such an advanced infection before.

[youtube hkK_6tiDvmk]

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Sodinokibi virus, follow these steps:

Remove Sodinokibi using Safe Mode with Networking

Reboot the machine in Safe Mode with Networking, so that Sodinokibi ransomware can get properly removed

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sodinokibi

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sodinokibi removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sodinokibi using System Restore

Use System restore to ensure that the device is recovered in the previous state when Sodinokibi ransomware was not on the PC

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sodinokibi. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Sodinokibi removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sodinokibi from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Sodinokibi, you can use several methods to restore them:

Data Recovery Pro is the alternative to file backups

If you need a solution for encrypted files or accidentally deleted data, try Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sodinokibi ransomware;
  • Restore them.

Windows Previous Versions feature allows to restore files after Sodinokibi ransomware attack

When System Restore gets enabled, you can employ Windows Previous Versions for the process of file recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – a method for file recovery

When ransomware is not affecting Shadow Volume Copies, ShadowExplorer can be used to restore encrypted data

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool for this threat is not developed yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sodinokibi and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Your opinion regarding Sodinokibi ransomware