{
	"id": "f954f173-1150-4705-8330-5fa4001fb75a",
	"created_at": "2026-04-06T00:22:35.897724Z",
	"updated_at": "2026-04-10T03:24:29.787106Z",
	"deleted_at": null,
	"sha1_hash": "33b214c5fad9a45cae18b8aebe9e4da743912a32",
	"title": "Sodinokibi Ransomware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4698038,
	"plain_text": "Sodinokibi Ransomware Analysis\r\nBy Jacob Pimental\r\nPublished: 2021-05-02 · Archived: 2026-04-05 17:02:47 UTC\r\n02 May 2021\r\nBy Jacob Pimental\r\nBack in March, a new version of the Sodinokibi (AKA REvil) Ransomware was released. Sodinokibi is a\r\nRansomware-as-a-Service (RaaS) provider that has been covered in the news quite a bit. With the new version out,\r\nI decided to give a technical analysis of how it operates. I got the sample from an overview of the new features\r\nthat R3MRUM gave in a tweet towards the end of March. The file, whose hash is\r\n12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39 , can be found on VirusTotal or\r\nAny.Run.\r\n1. Background\r\n2. Analysis TL;DR\r\n3. Anti-Analysis Features Used in Sodinokibi\r\n1. Dynamic Import Address Table (IAT)\r\n2. String Encryption\r\n4. Configuration Information\r\n5. Command-line Arguments\r\n6. Language Checks\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 1 of 22\n\n7. Key Generation\r\n8. Persistence\r\n1. Run On Startup\r\n2. Reg Key Creation\r\n9. Sodinokibi SafeMode\r\n10. Privilege Escalation\r\n11. Service and Process Killing\r\n12. Shadow Copy Deletion\r\n13. C2 Communication\r\n14. File Encryption\r\n15. Ransom Note Generation\r\n16. Conclusion\r\n17. IOCs\r\n18. ATT\u0026CK Methodologies\r\nBackground\r\nSodinokibi, or REvil, was first discovered in April of 2019 where it was seen exploiting a vulnerability in Oracle\r\nWebLogic. It shares many similarities to the GandCrab ransomware strain that retired around the same time\r\nSodinokibi popped up, leading researchers to speculate whether this ransomware is operated by the same people.\r\nBeing a Ransomware-as-a-Service means that clients will pay the operators for access to the latest version and\r\nhave the group operate the infrastructure for them. There are two fields in Sodinokibi’s configuration that will\r\nkeep track of the client and the particular client campaign during which the ransomware is deployed. You can find\r\nthis information in the configuration section below.\r\nSodinokbi has been seen used in several notable breaches including Travelex and Acer. The group has recently\r\nupdated the strain to add a new feature that will reboot Windows into Safe Mode to bypass AV.\r\nAnalysis TL;DR\r\nSodinokibi will start by dynamically building an import table to make it harder for analysts to statically analyze\r\nthe sample. It also uses encrypted strings throughout the binary to make it difficult to analyze. During the initial\r\nstartup phase, Sodinokibi will decrypt its configuration using RC4 which contains information such as C2\r\ndomains and one of the public keys Sodinokibi will use when encrypting files.\r\nAfter the initial startup phase, Sodinokibi will check the user’s language and keyboard layout to see if they are in a\r\nwhitelisted location. If not, then the ransomware will generate a public and private key pair using the Elliptic-Curve Diffie-Hellman algorithm. Sodinokibi stores private and public keys as well as other important information\r\nin specific registry keys to use next time the sample is run.\r\nThis version of Sodinokibi comes with a new feature known as SafeMode which will reboot the compromised\r\ncomputer into Windows Safe Mode with Networking. This will prevent most antivirus software from running\r\nwhich means Sodinokibi can run without issue.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 2 of 22\n\nIf the exp value in the configuration is set to true , Sodinokibi will attempt to escalate privileges by prompting\r\nthe user in an endless loop. After this, Sodinokibi will delete shadow copies and kill any processes or services that\r\nmatch a list stored in its configuration. It will also send information about the computer it is running on as well as\r\nthe generated private key to a list of C2 domains during this phase.\r\nFinally, Sodinokibi will use Windows IO Completion Ports to quickly encrypt files on the system, ignoring those\r\nthat match the whitelisted filenames. The files are encrypted using the Salsa20 algorithm with a metadata blob the\r\nattacker can use to decrypt the file being appended to the end. Sodinokibi can walk through local drives as well as\r\nnetwork shares depending on if the -nolan and -nolocal command-line switches are set. After all the files are\r\nencrypted, Sodinokibi will change the user’s background to tell them to read the ransom note.\r\nAnti-Analysis Features Used in Sodinokibi\r\nDynamic Import Address Table (IAT)\r\nSodinokibi will manually load the import address table as an anti-analysis technique. It does this by looping\r\nthrough a list of DWORDs and putting the correct function pointer into the IAT depending on the value of the\r\nDWORD. To bypass this technique, I ran the binary in x64dbg and dumped it after the call to the IAT population\r\nfunction using Scylla. This allowed me to continue analyzing this sample statically without having to worry about\r\nwhich functions were being called.\r\nString Encryption\r\nMost of the strings in the Sodinokibi sample were encrypted. The string decryption function will take five\r\narguments: an address in memory that is served as a base, the offset from that base to the start of the key, the key\r\nlength, the length of the ciphertext, and a pointer to the target variable to populate with the decrypted string.\r\nString Decryption Function\r\nThe function will then take the data from base + offset : base + offset + key_length and store it in a buffer\r\nthat it will use as a key. It will use that key to RC4 decrypt the data at base + offset + key_length : base +\r\noffset + key_length + ciphertext_length . It will store the RC4 decrypted result in the target variable.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 3 of 22\n\nSubstitution Box generation algorithm which led me to believe this was RC4\r\nStructure of the encrypted data\r\nFrom this information, I created a small script in Python that will take the first four parameters passed into the\r\ndecryption function and return the resulting string. You can find that script on my GitHub.\r\nConfiguration Information\r\nThe configuration for the Sodinokibi sample is stored as an RC4 encrypted JSON string in a section of the binary\r\nappropriately named .cfg . The key for decrypting the configuration is contained in the first 32 bytes of the\r\nsection. After that section is a CRC hash of the ciphertext that Sodinokibi uses to validate the data before\r\ndecrypting. Below is a table of all four parts of the section:\r\nOffset (Bytes) Data\r\n0x0 - 0x20 RC4 Key\r\n0x20 - 0x24 CRC Hash of Ciphertext\r\n0x24 - 0x28 Length of Ciphertext\r\n0x28 - … Ciphertext\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 4 of 22\n\nThe configuration structure is stored in JSON and contains 19 keys. Below is a table of the information stored in\r\nthe config:\r\nField Description\r\npk Public Key stored as a Base64 encoded string\r\npid Unique value that identifies the client\r\nsub Unique value that identifies the campaign\r\ndbg\r\nDetermines whether or not to check the keyboard layout and system language to determine the\r\nuser’s location\r\net\r\nEncryption type to use:\r\n0 - Encrypt all data in a file\r\n1 - Encrypt only the first MB of a file\r\n2 - Encrypt 1 MB then skip the next MBs specified by the spsize field\r\nspsize Number of MBs to skip when et is set to 2\r\nwipe Unused\r\nwfld Unused\r\nwht\r\nContains three lists of whitelisted objects:\r\nfld: Whitelisted Folders\r\nfls: Whitelisted Files\r\next: Whitelisted Extensions\r\nprc List of processes to terminate\r\ndmn List of C2 domains separated by “;”\r\nnet Whether or not to send information to C2\r\nsvc List of services to close and delete\r\nnbody Body of ransom note stored as a Base64 encoded string\r\nnname Filename for the ransom note\r\nexp Whether or not to attempt running the application with Administrator privileges\r\nimg\r\nText to add to the desktop background alerting users that their files are encrypted. Stored as a\r\nBase64 encoded string\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 5 of 22\n\nField Description\r\narn Whether or not to set a registry key to have the application run on startup\r\nrdmcnt\r\nMaximum number of folders to write the ransom note to. If zero, write the ransom note to all\r\nfolders\r\nAn interesting thing to note is that both of the unused fields in the configuration were used in previous versions of\r\nSodinokibi. According to an analysis done from Panda Security, the wipe value was used to determine if\r\nSodinokibi would delete directories stored in the wfld value.\r\nThe full config from this particular sample can be found here.\r\nCommand-line Arguments\r\nThe newest version of Sodinokibi has seven optional command-line switches that control different aspects of the\r\ninfection process. The table below gives an overview of the different switches available:\r\nSwitch Description\r\nnolan Do not encrypt network shares\r\nnolocal Do not encrypt local files\r\npath Specify directory to encrypt\r\nsmode Reboots the computer in Windows Safe Mode\r\nsilent Do not kill processes and services\r\nfast Only encrypts the first MB of a file (sets et to 1)\r\nfull Encrypts entire file (sets et to 0)\r\nLanguage Checks\r\nOne of the first things Sodinokibi will do is identify the user’s location based on the language of the system and\r\nthe user’s keyboard layout. Sodinokibi utilizes the GetUserDefaultUILanguage and\r\nGetSystemDefaultUILanguage functions to get the language code and then runs that code against a list of\r\nhardcoded values. If the system language matches, then the program will exit.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 6 of 22\n\nList of languages that are whitelisted from being encrypted\r\nNext, it will get a list of input locale identifiers for the system using the GetKeyboardLayoutList function. It will\r\ntake the last byte of these codes and compare them to a hardcoded list of values. If any of the input locale\r\nidentifiers match, then execution is halted.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 7 of 22\n\nList of input locale codes\r\nSodinokibi looks for\r\nKey Generation\r\nSodinokibi will use the elliptic curve algorithm Curve25519 to generate a public and private key pair as well as\r\nshared keys that will be used for encryption. Once the key pair is generated, Sodinokibi will take the new private\r\nkey and encrypt it using the public key in the configuration, pk , and another public key that is stored in the\r\nbinary.\r\nCode snippet that shows public/private key pair being generated and private key being encrypted\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 8 of 22\n\nThe encryption process works by creating a new, temporary key pair we’ll call tmp_key and creating a shared\r\nkey between the private tmp_key and the public key passed into the function. We will call this shared_key for\r\nsimplicity’s sake. Next, Sodinokibi will generate a random 16 byte IV value. It will then use the IV and\r\nshared_key to encrypt the data that is passed into the function using AES. Finally, Sodinokibi will take the\r\nnewly encrypted data and append the value of shared_key , the IV, and the CRC hash of the encrypted data to the\r\nend.\r\nFunction used to encrypt the private key\r\nFor the ransomware operator to decrypt the data, they would need to use the shared_key and their own private\r\nkey to generate a new Curve25519 shared key. They can use this newly generated shared key to decrypt the data.\r\nAnalysts from Intel471 managed to find the exact open-source implementation of what Sodinokibi is using to\r\nimplement the Curve25519 algorithm. You can read their full report on it here.\r\nPersistence\r\nRun On Startup\r\nIf the value of arn in Sodinokibi’s configuration info is set to true , then it will attempt to make itself\r\npersistent by creating a registry key under SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run . It will create the\r\nkey qZhotTgfr3 with the path to the binary as the value. This will allow the malware to run every time the user\r\nreboots their machine.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 9 of 22\n\nFunction that will allow the ransomware to run on startup\r\nReg Key Creation\r\nSodinokibi will also store important information such as generated keys in the registry to retrieve them next time\r\nit runs. It will store these keys under SOFTWARE\\BlackLivesMatter . The table below shows the keys it creates and\r\ntheir values:\r\nKey Value\r\n54k Contains the value of pk from the configuration\r\nKrdfp Contains the private key encrypted by the public key in the configuration\r\na0w0 Contains the public key generated from elliptic curve function\r\nhq0G6X Contains the private key encrypted by the public key in the binary\r\nXFx41h1r\r\nContains an encrypted string containing information that is sent to C2 servers (see C2\r\nCommunication section for more info)\r\nx4WHjRs Contains the random file extension that gets appended to encrypted files\r\nSodinokibi SafeMode\r\nOne of the new features from this version of Sodinokibi is the -smode flag. When running with this flag,\r\nSodinokibi will reboot the computer into Windows Safe Mode with Networking. The reason for this is that most\r\nAntivirus software will not run when Windows is in Safe Mode. This allows Sodinokibi to bypass most Antivirus\r\nproducts easily.\r\nTo set up SafeMode, Sodinokibi will grab the current username and change its password to “DTrump4ever”. It\r\nwill then enable Autologon privileges for the user by editing the SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\winlogon registry key. It will also enable the setting for the user to log in with Administrator\r\nprivileges by default.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 10 of 22\n\nCode that sets automatic logon and changes user password\r\nAfter this, the ransomware will set the SOFTWARE\\Microsoft\\CurrentVersion\\RunOnce registry key to set itself to\r\nrun on the next startup. It will store this information in the registry key AstraZeneca . It will then set the\r\ncomputer to boot into Windows Safe Mode on the next startup using either bootcfg or bcdedit depending on\r\nthe Windows version. You can find the commands in the table below:\r\nWindows Version Command\r\nWin7 or Greater bcdedit /set {current} safeboot network\r\nVista or Below bootcfg /raw /a /safeboot:network /id 1\r\nTo ensure these changes aren’t permanent, the malware will set one more registry key under RunOnce called\r\nMarineLePen . This will contain another bootcfg or bcdedit command that will undo the changes on startup.\r\nWindows Version Command\r\nWin7 or Greater bcdedit /deletevalue {current} safeboot\r\nVista or Below bootcfg /raw /fastdetect /id 1\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 11 of 22\n\nCode that sets the computer to boot into Windows Safe Mode\r\nFinally, the function will restart the computer by running the command SHUTDOWN -r -f -t 02 .\r\nPrivilege Escalation\r\nIf the value of exp in Sodinokibi’s configuration is set to true , it will attempt to escalate privileges to\r\nAdministrator. First, the malware will get a handle to the current process using GetCurrentProcess . It will then\r\ncheck the current permissions that the process is running using OpenProcessToken and GetTokenInformation . If\r\nthe application is already running as Administrator, then the function will exit. If not, it will use the runas\r\ncommand through the function ShellExecute to prompt the user to run the application with Administrator\r\nprivileges. It will continue to prompt the user in an endless loop until the user finally accepts.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 12 of 22\n\nFunction that will elevate Sodinokibi’s privileges\r\nService and Process Killing\r\nIf Sodinokibi is run without the -silent switch, it will attempt to kill processes and services that match the\r\nvalues in the prc and svc lists in the configuration. It will start this by spawning a thread that will create a\r\nCOM Object for IWbemServices . Sodinokibi will use this COM Object to search for newly created processes or\r\nmodified services with the following queries:\r\nSELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'\r\nSELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Service'\r\nThe IWbemServices::ExecMethodAsync function, shown as offset 0x5c of the created COM Object, will send\r\nthe results to an IWbemObjectSink Interface which runs them through another function at offset 0xb32809 . This\r\nfunction will compare the process/service name against the lists in the configuration and kill them if they match.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 13 of 22\n\nFunction that kills processes and services using COM Objects\r\nNext, Sodinokibi will use the Service Control Manager to loop through all active services and kill them. It does\r\nthis by getting a handle to the SCManager object by calling OpenSCManager with “ServicesActive” as one of the\r\narguments. Then it will use EnumServicesStatusExW to enumerate the returned services and compare each\r\nservice name to the list in svc . If they match, then Sodinokibi will delete the service using the DeleteService\r\nfunction.\r\nFunction that deletes services using Service Control Manager\r\nFinally, Sodinokibi will loop through any active processes using the Process32FirstW and Process32NextW\r\nfunctions and run the process name against the prc list. If the prc list contains the process name, then the\r\nprocess will be terminated using the TerminateProcess function.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 14 of 22\n\nLoop that will run active process handles through a function that will terminate them\r\nFunction that will take a process handle and terminate it if it’s in the prc list\r\nShadow Copy Deletion\r\nWhen the -silent switch is not present, the Sodinokibi sample will spawn a thread that will delete any shadow\r\ncopies that are present on the system. It will do this by using COM Objects similar to how it kills processes and\r\nservices. Sodinokibi will run the query select * from Win32_ShadowCopy to retrieve an IEnumWbemClassObject\r\nobject. It will enumerate each shadow copy object using the IEnumWbemClassObject::Next function, grab each\r\nID, and delete it using the IWbemServices::Delete function. The delete function contains a string with the\r\nshadow copy’s ID in the form Win32_ShadowCopy.ID=\u003cID\u003e as the parameter.\r\nFunction that will delete shadow copies using COM Objects\r\nC2 Communication\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 15 of 22\n\nWhen the net value in the configuration info is set to true , Sodinokibi will reach out to one of the Command\r\nand Control (C2) servers from the dmn list. First, it will split the list of domains by the “;” character. For each C2\r\nin the list, Sodinokibi will build up an information string in the following format:\r\n{\r\n \"ver\":\"Version info (0x205, or 2.05 in this case)\",\r\n \"pid\":\"pid value from config\",\r\n \"sub\":\"sub value from config\",\r\n \"pk\": \"pk value from config, base64 decoded\",\r\n \"uid\":\"Volume Serial Number and CPU Info\",\r\n \"sk\": \"Private Key encrypted by the value of pk\",\r\n \"unm\":\"Account Username\",\r\n \"net\":\"Computer Name\",\r\n \"grp\":\"Computer Domain Name\",\r\n \"lng\":\"Language Used (i.e. en-us)\",\r\n \"bro\":\"Boolean returned by the language and keyboard check\",\r\n \"os\": \"Product Name\",\r\n \"bit\":\"Architecture Used (x32 or x64)\",\r\n \"dsk\":\"Base64 encoded information about the drives on the computer\",\r\n \"ext\":\"Generated extension used for encrypted files\"\r\n}\r\nSodinokibi will then take this JSON string and encrypt it using a third public key that is stored in the binary. It will\r\nuse the same encryption method that was used to encrypt the generated secret key that was described earlier in this\r\nreport. Once the JSON information is encrypted, Sodinokibi will take the C2 domain and start to build a random\r\nURL in the following form:\r\n https://\u003cdomain\u003e/(wp-content|static|content|include|uploads|news|data|admin)/(images|pictures|image|temp|tmp|g\r\nSodinokibi will then send the data in a POST request with the following headers:\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.1\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nFunction that handles connection for C2 domain, with renamed functions to make it clear what the function is\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 16 of 22\n\ndoing\r\nFile Encryption\r\nTo perform file encryption, Sodinokibi uses I/O Completion Ports to speed up walking the file system. This\r\nessentially allows the ransomware to create multiple threads that will wait for a file handle. Once one is sent over,\r\nthe first available thread will take it and encrypt the file using the Salsa20 Algorithm.\r\nCode that will create a new completion port to use\r\nOnce the completion port is created, Sodinokibi will walk the local file system if the -nolocal command-line\r\nswitch is not set. It will start by enumerating drives and checking the drive type using GetDriveTypeW . If the\r\ndrive is valid, it will walk through the files in it using FindFirstFileExW and FindFirstFileW depending on the\r\nWindows version. It will also check each file and folder name against the fld , fls , and ext lists to see if it is\r\nwhitelisted from being encrypted. It will also not encrypt a file if it is already marked as encrypted by the\r\nWindows File System.\r\nIf the nolan command-line switch is not set, then Sodinokibi will enumerate network shares. It will use\r\nWNetOpenEnumW and WNetEnumResourceW to get shares to which is can connect. To get permission to access these\r\nshares, Sodinokibi will attempt to impersonate the current user using the ImpersonateLoggedOnUser function.\r\nSodinokibi will first grab the Process ID of “explorer.exe” and use that to grab the access token of the user. It can\r\nuse that access token to access objects for which the user already has access.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 17 of 22\n\nFunction that will encrypt remote drives\r\nFor every folder that Sodinokibi finds while walking the file system, it will write a ransom note to it. It will then\r\ncompare a variable against the value of rdmcnt . If it is greater than rdmcnt , it will not write the note. If\r\nrdmcnt is equal to zero, then it will write notes in every folder regardless of the count. The count variable will\r\nthen increment and the function will exit. This count variable is reset on every drive that gets encrypted, leading\r\nme to believe that the rdmcnt value dictates the maximum number of ransom notes Sodinokibi will write to a\r\ndrive.\r\nFor each file, Sodinokibi will build a metadata structure that it will append to the end of the encrypted file. This\r\nvalue is part of the lpOverlapped structure that gets passed to the IO Completion Port. The structure can be\r\ndefined as the following:\r\nstruct rvl_struct {\r\n BYTE priv_key_encrypted_w_config_pk[88],\r\n BYTE priv_key_encrypted_w_bin_pk[88],\r\n BYTE generated_pub_key[32],\r\n BYTE salsa20_IV,\r\n DWORD crc_of_pub_key,\r\n DWORD value_of_et,\r\n DWORD spsize,\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 18 of 22\n\nDWORD salsa20_encrypted_null_value\r\n}\r\nThis structure is used to verify that the file is encrypted and is used to decrypt the file by the attacker. Using this\r\nstructure, the operator can decrypt the generated private key and use that with the salsa20 IV to decrypt the file.\r\nOnce this metadata structure is set up, the file will be posted to the IO Completion Port to be encrypted by one of\r\nthe spawned threads. Depending on the encryption type, Sodinokibi will either encrypt the entire file ( et =0),\r\nonly encrypt the first MB ( et =1), or encrypt one MB of the file, skip spsize MBs then encrypt another MB\r\nand repeat ( et =2). Once the file is encrypted, Sodinokibi will append the metadata blob to the end and move to\r\nthe next file.\r\nOnce all files are encrypted, Sodinokibi will set the background image to display the text from the img value in\r\nthe configuration. In this case, it will display:\r\nAll of your files are encrypted!\r\nFind {EXT}-readme.txt and follow instuctions\r\nRansom Note Generation\r\nThe ransom note is stored as a Base64 encoded string in Sodinokibi’s configuration under the nbody field. The\r\nnote in this sample contains:\r\n---=== Welcome. Again. ===---\r\n[+] Whats Happen? [+]\r\nYour files are encrypted, and currently unavailable. You can check it: all files on your system has extension {E\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you\r\n[+] Attention!!! [+]\r\nAlso your private data was downloaded.\r\nWe will publish it in case you will not get in touch with us asap.\r\n[+] What guarantees? [+]\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not d\r\nTo check the ability of returning files, You should go to our website. There you can decrypt one file for free.\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,\r\n[+] How to get access on website? [+]\r\nYou have two ways:\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 19 of 22\n\n1) [Recommended] Using a TOR browser!\r\n a) Download and install TOR browser from this site: https://torproject.org/\r\n b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}\r\n2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:\r\n a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)\r\n b) Open our secondary website: http://decoder.re/{UID}\r\nWarning: secondary website can be blocked, thats why first variant much better and more available.\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n{KEY}\r\n-----------------------------------------------------------------------------------------\r\n!!! DANGER !!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus sol\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make every\r\n!!! !!! !!!\r\nThe note contains three template variables: {UID} , {KEY} , and {EXT} . The {UID} variable will correspond\r\nwith the CRC of the infected computer’s volume serial number and other information about the CPU. This data is\r\nused as a distinct identifier that Sodinokibi can use to keep track of the computer. The {EXT} value will\r\ncorrespond with the randomly generated extension that Sodinokibi will append to encrypted files. Finally, the\r\n{KEY} value is the encrypted JSON string that Sodinokibi will send to the Command and Control server. You can\r\nsee how this is generated in the C2 Communication section of this post.\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 20 of 22\n\nFunction that will generate the ransom note body\r\nOnce the ransom note string is generated, Sodinokibi will write it to the filename specified in the nname field of\r\nthe configuration, which in this sample is {EXT}-readme.txt . It will replace the {EXT} value of the filename\r\nwith the randomly created extension, just like it does for the ransom note body.\r\nConclusion\r\nSodinokibi is a complex ransomware strain with many different features that the group continues to add to all the\r\ntime. This latest version added the new SafeMode feature which is a smart way to bypass AV. There is definitely a\r\nlot to write about when it comes to this ransomware, and unfortunately, I could not cover it all in a single post. If\r\nyou have any questions or comments about this analysis, feel free to reach out to me on my Twitter or LinkedIn.\r\nThanks for reading and happy reversing!\r\nIOCs\r\nSHA-256: 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39\r\nRegistry Keys:\r\nSOFTWARE\\BlackLivesMatter\\54k\r\nSOFTWARE\\BlackLivesMatter\\Krdfp\r\nSOFTWARE\\BlackLivesMatter\\a0w0\r\nSOFTWARE\\BlackLivesMatter\\hq0G6X\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 21 of 22\n\nSOFTWARE\\BlackLivesMatter\\XFx41h1r\r\nSOFTWARE\\BlackLivesMatter\\x4WHjRs\r\nMutexes:\r\nGlobal\\F69C27FF-AB15-CCAA-A2D6-7F7ADA90E7E3\r\nHTTP Headers:\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.12\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nURL Regex:\r\nhttps:\\/\\/[^\\/]+\\/(wp-content|static|content|include|uploads|news|data|admin)\\/(images|pictures|image|temp|tmp|g\r\nATT\u0026CK Methodologies\r\nATT\u0026CK ID ATT\u0026CK Technique\r\nT1098 Account Manipulation\r\nT1547 Boot or Logon Autostart Execution\r\nT1548 Abuse Elevation Control Mechanism\r\nT1134 Access Token Manipulation\r\nT1112 Modify Registry\r\nT1027 Obfuscated Files or Information\r\nT1083 File and Directory Discovery\r\nT1135 Network Share Discovery\r\nT1486 Data Encrypted for Impact\r\nT1489 Service Stop\r\nMalware Analysis, Sodinokibi, Ransomware, Cutter, Automation\r\nMore Content Like This:\r\nSource: https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nhttps://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis"
	],
	"report_names": [
		"sodinokibi-ransomware-analysis"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33b214c5fad9a45cae18b8aebe9e4da743912a32.pdf",
		"text": "https://archive.orkl.eu/33b214c5fad9a45cae18b8aebe9e4da743912a32.txt",
		"img": "https://archive.orkl.eu/33b214c5fad9a45cae18b8aebe9e4da743912a32.jpg"
	}
}