{
	"id": "dde16026-9768-405f-9a8d-989cad1f1d2c",
	"created_at": "2026-04-06T00:12:56.074776Z",
	"updated_at": "2026-04-10T03:29:28.436023Z",
	"deleted_at": null,
	"sha1_hash": "54a3a16324ee1a160144c4cf65ee41fca1f9db72",
	"title": "Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2319433,
	"plain_text": "Ransomware REvil - Sodinokibi: Technical analysis and Threat\r\nIntelligence Report\r\nBy TG Soft S.r.l. - https://www.tgsoft.it\r\nArchived: 2026-04-05 16:01:30 UTC\r\n      \r\nSodinokibi ransomware, also known as REvil, made it first appearance in April\r\n2019, where it looks to exploit the Oracle WebLogic Server vulnerability to\r\npropagate itself.\r\nC.R.A.M. (Research Centre Anti-Malware) of TG Soft has analysed ransomware\r\nevolution in the last few months.\r\nDownload the report in PDF: Technical analysis and Threat Intelligence\r\nREPORT\r\nLast update: 2019-08-08\r\nSUMMARY\r\n==\u003e Infection Vector\r\n==\u003e Sodinokibi\r\nRansomware Analysis\r\n==\u003e Calculate the\r\nprivate and public keys\r\n==\u003e sk_key Data\r\nStructure\r\n==\u003e 0_key Data\r\nStructure\r\n==\u003e Registry Key “stat”\r\n==\u003e Ransom instruction\r\n==\u003e File encryption\r\n==\u003e C2 Server\r\n==\u003e Ransom payment\r\n==\u003e How does\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 1 of 23\n\ndecryption work?\r\n==\u003e Versions\r\n==\u003e Telemetry\r\n==\u003e Conclusion\r\nIntroduction\r\nIn Italy it made first appearance  in May 24th 2019, with a RDP attack, as we posted in the\r\ntweet of May 28th 2019:\r\nThe authors of Sodinokibi ransomware, even if they are the first versions of their creation,\r\nseem to have a long experience in this threats of cyber-crime.\r\nSome researchers have identified the similarities with GandCrab ransomware,  whose\r\nproject was shut down in  beginning June. It seems that Sodinokibi ransomware is the right\r\ncandidate to fill the hole left behind GandCrab.\r\n \r\nInfection Vector\r\nSodinokibi ransomware uses different methods of propagation:\r\nOracle WebLogic Server Vulnerability\r\nRDP attacks\r\nSpam Campaigns\r\nWatering hole\r\nExploit kit and malvertising\r\nIn Italy, we have observed that Sodinokibi ransomware used various methods of propagation.  All such methods\r\nhave been found in Italy except Oracle WebLogic Server vulnerability.\r\nThe first attack that we have record was on 24th May 2019, in this case the infection vector was through RDP\r\nattack. This kind of infection vector execute a brute force on credentials, it has already been used by other\r\nransomware as Dharma.\r\nInterestingly, the IP 151.106.56[.]254 used by cyber criminal to access via RDP was the same IP dentified in other\r\nRDP attacks in June of this year.\r\nAffiliates have used spam campaigns to distributed Sodinokibi ransomware, that was recorded in June. A new\r\ncampaign was discovered which deals:\r\nBooking.com\r\nDHL\r\n “Booking.com” campaign in the summer months, is very apt choose with the summer holiday season approaches,\r\nit may induce the victims to open the attachment.\r\nIn the images below, we can see the two malspam campaigns of Sodinokibi.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 2 of 23\n\nIn Italy the first case of watering hole was recorded on website “winrar.it” a distributor of WinRar in Italy. For the\r\nwhole day on Wednsday the 19th June was downloaded Sodinokibi instead of setup of WinRar.\r\nIn 2016 “winrar.it” website was already attacked by APT StrongPity, here too this was watering hole attack, in\r\nwhich the setup of WinRar was modified to include and downloaded also StrongPity spy malware.\r\nIf in 2016 the attack on “winrar.it” was organized by a professional cyber-espionage organization, in the attack of\r\nthis year the attackers have replaced the setup of WinRar with Sodinokibi. Who downloaded WinRar in the\r\nafternoon of 19th June, could find something strange in the downloaded file, the icons, actually, are not like the\r\nWinRar ones, as we can see in the figures below:\r\nIn addition, the execution of file does not downloaded WinRar, as has been the case of StronPity ransomware.\r\nAttackers have poorly exploited the watering hole attack to winrar.it.\r\nIn other cases involving the spread of Sodinokibi, registered in Italy on 7th June 2019, were utilized malvertising\r\nattack .\r\nThe authors of Sodinokibi seem to be very active in spreading the ransomware.\r\nSodinokibi Ransomware Analysys\r\nThen we analyze Sodinokibi version 1.1.\r\nWhen the file infected from ransomware is executed, Sodinokibi generates a different mutex for each build, as en\r\nexample :\r\nGlobal\\D382D713-AA87-457D-DDD3-C3DDD8DFBC96\r\nA section of the file infected is decrypted with RC4, this section contains the configuration of the malware\r\nstructured in this way:\r\n{\r\n    \"pk\": \"\",\r\n    \"pid\": \"\",\r\n    \"sub\": \"\",\r\n    \"dbg\": ,\r\n    \"fast\": ,\r\n    \"wipe\": ,\r\n    \"wht\": {\r\n        \"fld\": [],\r\n        \"fls\": [],\r\n        \"ext\": []\r\n    },\r\n    \"wfld\": [],\r\n    \"prc\": [],\r\n    \"dmn\": \"\",\r\n    \"net\": ,\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 3 of 23\n\n\"nbody\": \"\",\r\n    \"nname\": \"\",\r\n    \"exp\": ,\r\n    \"img\": \"\"\r\n}\r\nIn the table below we see the description of the fields:\r\nField Description\r\npk Public Key in base64\r\npid Identifier of distributor\r\nsub Identifier of subscription\r\ndbg Debug: true/false\r\nfast True/False\r\nwipe True/False\r\nwht -\u003e fld Folder exclusions\r\nwht -\u003e fls Files exclusions\r\nwht -\u003e ext Exclusion of the extension\r\nwfld Wipe folder\r\nprc Process to terminate\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 4 of 23\n\ndmn Domains C2\r\nnet Files encryption in the network: true/false\r\nnbody Instructions for payment\r\nnname {EXT}-readme.txt ( EXT is the extension of file encrypted)\r\nexp Exploit True/False\r\nimg Image contained in alert encryption on the desktop\r\nIf \"exp\" field is \"true\" then a 32 or 64 bit shellcode is executed with the exploit CVE-2018-8453 through the elevation of privilege.\r\nThe next step is create a registry key  REcfg if it is not already exist:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\recfg\r\nIf the key do not have permissions, it is created in HKEY_CURRENT_USER.\r\nThe following values are created  within REcfg:\r\npk_key\r\nsk_key\r\n0_key\r\nrnd_ext\r\nstat\r\nCalculate the private and public keys\r\nNow the private and the public keys are calculated, as we can see in the figure:\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 5 of 23\n\nPrivate and public keys are calculated in this way:\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 6 of 23\n\nThe private key was generated from random number of 256 bit, from the figure we can see the random number\r\ngeneration subroutine PRNG (PseudoRandom Number Generators):\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 7 of 23\n\nThe function to generate PRNG use the hardware Intel Ivy Bridge, based on NIST’s SP\r\n800-90 guidelines, through the call to assembly rdrand instruction.\r\nThe random number generated, before it becomes private key, is elaborated in this way:\r\nAt this point, starting from private key was generated public key. The private and public keys are generated using \r\nECC (Elliptic Curve Cryptography).\r\nThe keys (private and public) are both two numbers of 256 bit, which define two points on the elliptic curve.\r\nThe Exchange of the keys is made with the “Elliptic Curve Diffie-Hellman” (ECDH) method, where:\r\ndAPB = dBPA\r\nGiven G a fixed point of the curve, where:\r\ndA = private key of A (secret random number)\r\nPA = G*dA = public key of A (G multiplied by dA)\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 8 of 23\n\ndB = private key of B (secret random number)\r\nPB = G*dB = public key of B\r\nSodinokibi use eliptic curve “Curve25519”, in which G={9}, developed by Dan Bernestein, as supposed in the\r\npost of  Eric Klonowski (@noblebarstool) on Twitter.\r\nAfter Sodinokibi  has generated  the ECC pair of keys in the memory, which we call dk_key  (private key) and\r\npk_key  (public key), the public key is stored in the recfg regisry key inside of the value pk_key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\recfg\r\n[pk_key] = Public Key\r\nBack on top\r\nsk_key Data Structure\r\nAt this point sk_key  data structure is  generated  by the call to Sub_13597B subroutine:\r\npBuff_sk_key = Sub_13597B (key_pubblica_json, key_privata, size IN, size out)\r\nThe Sub_13597B aims to encrypt the private key  generated inside sk_key  data structure.\r\n  The Sub_13597B takes 4 input parameters:\r\nkey_pubblica_json: public key “pk” inside the json configuration section\r\nkey_privata: private key generated “dk”\r\nsize IN: size of “dk”\r\nsize out: sk_key structure dimension\r\nSub_13597B subroutine execute the following steps:\r\nAllocate a buffer of 0x58 byte and copy the private key (dk_key) “key_privata” from offset\r\n0x4 into buffer\r\n1. Calculate a new pairs of ECC keys, one private (dk_new) and one public (pk_new)\r\n2. Calculate dk_new*pk -\u003e shared_key_new (where pk is public key inside the json\r\nconfiguration section) and the result is “hashato” with SHA-3.\r\n3. Calculate a random number of 16 byte -\u003e random_16,  it will be used as IV\r\n(initialization vector forAES)\r\n4. Encrypts the buffer allocated from 0 to 0x24 via AES-256 CTR through the IV\r\ninitialization vector and SHA-3 (shared_key_new)\r\n5. Copy the public key pk_new into buffer allocated at offset 0x24\r\n6. Copy the random number random_16 into buffer allocated at offset 0x44\r\n7. Calculate the CRC32 of the buffer allocated from 0 to 0x24 and save the result at\r\noffset 0x54\r\n8. Sub_13597B subroutine returns the pointer  to buffer  that is allocated to of 0x58\r\nbyte inside the sk_key data structure.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 9 of 23\n\nsk_key data structure, as we see on the right figure, will be stored in the registry under the\r\nsame name.\r\n \r\nWe can see the call to AES-256 in CTR mode, in the figure below:\r\nAES CTR takes the following scheme:\r\n0_key Data Structure\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 10 of 23\n\n0_key data structure is generated in a similar way, by the call to Sub_13597B subroutine:\r\npBuff_0_key = Sub_13597B (master_key_pubblica, key_privata, size IN, size out)\r\nThe procedure for generation of 0_key  data structure is similar to that of sk_key  data structure,\r\nin this case it is used a “master public key” stored inside a executable file instead of the public\r\nkey pk (the one inside the json configuration section).\r\nThe “embedded” master public key is: \r\n79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A\r\n04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35\r\nInside the 0_key data structure  we have the dk private key encrypted through the “master public\r\nkey”.\r\n0_key data structure, as we see in the figure on the right, will be saved in the registry under the\r\nsame name.\r\nRegistry Key “rnd_ext”\r\nThe value “rnd_ext” is stored inside the registry key REcfg, it contains the encrypted file extension randomly\r\ncalculated.\r\nRegistry Key “stat””\r\nThe value “stat” is stored inside the registry key REcfg, it contains the following string formatted:\r\n{\"ver\":%d,\"pid\":\"%s\",\"sub\":\"%s\",\"pk\":\"%s\",\"uid\":\"%s\",\"sk\":\"%s\",\r\n\"unm\":\"%s\",\"net\":\"%s\",\"grp\":\"%s\",\"lng\":\"%s\",\"bro\":%s,\"os\":\"%s\",\r\n\"bit\":%d,\"dsk\":\"%s\",\"ext\":\"%s\"}\r\nIt is stored in “stat” in encrypted and base64 encoded form.\r\nName Description\r\nver Version of Sodinokibi\r\npid PID of  json\r\nsub SUB of  json\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 11 of 23\n\npk PK ofl json\r\nuid CRC32 of “processor brand string” and Volume Serial Number (8 bytes)\r\nsk sk_key in BASE64\r\nunm Username\r\nnet Name of computer\r\nGrp Name of workgroup or domain\r\nlng Language ID\r\nbro True / False if the ID of language is a \"friend\"\r\nOs Operating System\r\nBit Value: 86 or 64\r\nDsk Information of diski in base 64 (drive and free space)\r\nExt Extension of encrypted filei\r\nCountries considered “friends” on the basis of the “bro” value:\r\nRomania\r\nRussia\r\nUcraina\r\nBielorussia\r\nEstonia\r\nLettonia\r\nLituania\r\nTajikistan\r\nIran\r\nArmenia\r\nAzerbaijan\r\nGeorgia\r\nKazakistan\r\nKyrgyzstan\r\nTurkmenistan\r\nUzbekistan\r\nThe Sodinokibi ransomware ends the current process if the keyboard language belong to the list of countries\r\nconsidered \"friends\".\r\nThe “stat” formatted string  is encrypted  with a master public key stored inside a executable file.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 12 of 23\n\nThe master public key “embedded” is:\r\n36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53\r\nAB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D\r\nRansom instruction\r\nRansom instruction are prepared from the body, which is extracted from the “nbody” field of the json\r\nconfiguration.\r\nThe body is formatted with the following value:\r\nuid\r\nrnd_ext\r\nstat in base 64\r\nThe “uid” is  the user ID calculated from CRC of “processor brand string” and Volume Serial Number, which is\r\nused to compose the URL where to make the ransom payment:\r\nhttp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/\u003cuid\u003e\r\nhttp://decryptor.top/\u003cuid\u003e\r\nTerminate Processes and delete Shadow Copy\r\nThe processes listed in the JSON configuration under “prc” are killed and the Windows Shadow copy with the\r\nfollowing command are deleted:\r\ncmd.exe /c vssadmin.exe Delete Shadows /All /Quiet \u0026 bcdedit /set {default} recoveryenabled No \u0026 bcdedit /set\r\n{default} bootstatuspolicy ignoreallfailures\r\nWipe\r\nThen the malware checks the \"wipe\" value in the JSON  configuration and if set to true it deletes all the files\r\ncontained in the folders that correspond to the \"wfld\" value of the JSON configuration.\r\nFile encryption\r\nA Thread is created which is pending on function “GetQueuedCompletionStatus”.\r\nFiles on local disk and network folder are numbered (if the “net” parameter of JSON configuration is a “true”\r\nvalue) then proceed with file encryption.\r\nIn every folder is created a .lock file and the instructions regarding the ransom with name {random extension}-\r\nreadme.txt.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 13 of 23\n\nFiles and folders that correspond to the JSON \"wht\" field containing the subfields \"fld\", \"fls\" and \"ext\", which are\r\nrespectively for \"folder\", \"files\" and \"extension\" are excluded from encryption.\r\nHere is an example:\r\n\"wht\": {\r\n        \"fld\": [\"google\", \"mozilla\", \"$windows.~bt\", \"programdata\", \"$recycle.bin\", \"program files (x86)\",\r\n\"appdata\", \"msocache\", \"program files\", \"windows.old\", \"$windows.~ws\", \"application data\", \"perflogs\",\r\n\"windows\", \"boot\", \"intel\", \"system volume information\", \"tor browser\"],\r\n        \"fls\": [\"bootsect.bak\", \"autorun.inf\", \"ntldr\", \"ntuser.dat.log\", \"ntuser.ini\", \"boot.ini\", \"ntuser.dat\",\r\n\"bootfont.bin\", \"desktop.ini\", \"thumbs.db\", \"iconcache.db\"],\r\n        \"ext\": [\"exe\"]\r\n    }\r\nFor each file intended to encryption is generated a Salsa20 key, as follows:\r\nEncryption algorithm used by Sodinokibi is Salsa20.\r\nThe encryption key for Salsa20 is obtained in this way:\r\n1. Calculate a new pairs of ECC private/public  keys (dk_new_file, pk_new_file)\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 14 of 23\n\n2. Calculate SHA-3 (dk_new_file*pk_key) -\u003e shared_key_salsa (where pk_key  is a public key stored inside\r\nregistry under  pk_key voice). In  shared_key_salsa we will obtained the key which is plugged in Salsa20\r\nmaster table.\r\n3. Calculate a random number of 8 byte for the initialization vector of the Salsa20 master table.\r\n4. Composes the Salsa20 master table.\r\nIt is created in memory a data structure that holds:\r\nHandle of the file to be encrypted\r\nsk_key\r\n0_key\r\npk_new_file\r\nInitialization vector of Salsa20\r\nThe CRC32 of pk_new_file\r\nMaster table of Salsa20\r\nThis data structure is passed to the Thread created previously through the API functions:\r\nCreateIoCompletationPort\r\nPostQueuedCompletionStatus\r\nThe thread is pending on the GetQueuedCompletionStatus API function, when it receives a new call it starts the\r\nfile encryption phase through the Salsa20 algorithm and then appends a part of the data structure that contains the\r\nfollowing fields:\r\nsk_key\r\n0_key\r\npk_new_file\r\nInitialization vector of Salsa20\r\nThe CRC32 of pk_new_file\r\nThe size of the appending part varies according to the version of the Sodinokibi malware. In versions 1.0 and 1.1\r\nthe length is 0xE0 bytes whereas in version 1.2 it is 0xE4 bytes.\r\nIn the figure we can see the encryption scheme of Sodinokibi version 1.1:\r\nDesktop image\r\nAt the end of the files encryption, the next step is to modify the desktop image , which we\r\ncan see in the figure on the right.\r\nThe image is generated using API functions for the graphics and the text is inserted using\r\n“DrawText”  function, that is loaded in “img” field through  JSON configuration.\r\nC2 Server\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 15 of 23\n\nWe find a list of 1079 domains inside the JSON configuration.  Sodinokibi makes a connection with each domain\r\nof this list generating a URL through a DGA algorithm using the following terms: \r\nTerm Extension\r\nwp-content\r\npictures\r\nnews\r\npics\r\nadmin\r\ndata\r\ntemp\r\ngraphic\r\ngame\r\nstatic\r\nassets\r\ntmp\r\nuploads\r\nimages\r\ninclude\r\nimage\r\ncontent\r\njpg\r\ngif\r\npng\r\nhttps://\u003chost\u003e/\u003cterm 1\u003e/\u003cterm 2\u003e/\u003crandom chars\u003e.\u003cextension\u003e\r\nSome examples:\r\nhttps://stagefxinc[.]com/wp-content/pictures/pmkapi.jpg\r\nhttps://birthplacemag[.]com/admin/pictures/hpxxqbak.gif\r\nhttps://clemenfoto[.]dk/news/pics/ohxkyt.gif\r\nhttps://wineandgo[.]hu/admin/pics/ahlpbrzo.jpg\r\nhttps://lexced[.]com/data/temp/hpttgdyg.png\r\nSodinokibi  transmits through a \"POST\"  to each domain of the list the \"stat\" data structure in encrypted form.\r\nFrom our analysis only the following domains responded with \"HTTP / 1.1 200 OK\":\r\nwww[.]zuerich-umzug[.]ch\r\nbelofloripa[.]be\r\nwww[.]soundseeing[.]net\r\nutilisacteur[.]fr\r\nwww[.]airserviceunlimited[.]com\r\ngeitoniatonaggelon[.]gr\r\ninsane[.]agency\r\nacb-gruppe[.]ch\r\nwww[.]cardsandloyalty[.]com\r\nwww[.]sbit[.]ag\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 16 of 23\n\nwww[.]mediahub[.]co[.]nz\r\nwww[.]irizar[.]com\r\nwww[.]cleanroomequipment[.]ie\r\nwww[.]pinkxgayvideoawards[.]com\r\nwww[.]rhino-turf[.]com\r\nmike[.]matthies[.]de\r\ndrbenveniste[.]com\r\nscotlandsroute66[.]co[.]uk\r\nm2graph[.]fr\r\nyourhappyevents[.]fr\r\ntieronechic[.]com\r\nmariajosediazdemera[.]com\r\nwww[.]skyscanner[.]ro\r\n11[.]in[.]ua\r\nfunworx[.]de\r\nwww[.]omnicademy[.]com\r\nwww[.]bratek-immobilien[.]de\r\nmetroton[.]ru\r\nBut this does not mean that one of these domains is that of Sodinokibi C2 Server.\r\nRansom payment\r\nAccording to the ransom instructions, the victim have to connect to the following domains for the payment\r\nmethods:\r\nhttp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/\u003cuid\u003e\r\nhttp://decryptor[.]top/\u003cuid\u003e\r\nVictims are requested to enter first thing (img.1), the random extension and the “Key” value contained in ransom\r\ninstructions  (it is the “stat” version encrypted on base64).\r\nWhen victims input this data the payment amount is generated (img.2) and are provided information on how to\r\npurchase BitCoin (img.3), and in addition a support chat is included (img.4), as we can see in the following\r\nimages:\r\nThe wallet for payment is generated automatically for each victim, the ransom price is $ 2,500 it doubles to $\r\n5,000 if payment is not made within 7 days.\r\nHow does decryption work?\r\nThe only way to recover the encrypted files by Sodinokibi is with a “dk_key” private key. The decryption key  is\r\nencrypted inside “sk_key” and “0_key”.\r\nThe attacker recovered “dk_key” in these ways:\r\n1. Decrypting  sk_key\r\n2. Decrypting  0_key\r\nNow in order to decrypt “sk_key”  the attacker use a secret key,  the private key “dk” , which\r\nonly they know. The private key “dk” is the symmetric key of the public key “pk” stored in the\r\njson configuration.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 17 of 23\n\nThe public key “pk_new” is put in unencrypted way inside “sk_key” structure.\r\nIt is calculated the value: dk * pk_new = shared_key_new\r\n The “shared_key_new” is the same as: dk_new*pk.\r\nThe private key (dk_key) is encrypted with AES-256 CTR through the \"SHA-3\r\n(shared_key_new\" and the random number (IV) which is on offset 0x44.\r\nDecrypting the buffer from 0x4 to 0x24 with AES-256, through \"SHA-3 (shared_key_new)\" and\r\nthe random number you get \"dk_key\".\r\nNow the same procedure can be performed to decrypted “0_key”, in this case is used the master\r\nprivate key, which only the authors of Sodinokibi know, to get “dk_key”.\r\nNow we know dk_key so to determinate the encryption key used in Salsa20 we execute the\r\nfollowing operation:\r\nSHA-3 (dk_key *pk_new_file) = shared_key_salsa\r\nWhere the public key pk_new_file  is put in unencrypted way at the end of the encrypted file.\r\nshared_key_salsa is also equals to SHA-3 (dk_new_file*pk_key)\r\nIn shared_key_salsa we will have the key that is inserted in the Salsa20 master table.\r\nNow it is possible to decrypt the files through shared_key_salsa.\r\nVersions\r\nThe authors of Sodinokibi have developed the following versions:\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 18 of 23\n\nVersion Date Size appending data\r\n1.0a 2019-04-23 0xe0\r\n1.0b 2019-04-27 0xe0\r\n1.0c 2019-04-29 0xe0\r\n1.1 2019-05-05 0xe0\r\n1.2 2019-06-10 0xe4\r\n1.3a 2019-07-08 0xe4\r\n1.3b 2019-08-02 0xe4\r\nVersion 1.2\r\nIn version 1.2 the registry key \"sub_key \" has been added which contains the public key of the json configuration\r\n(pk) and the data size in the encrypted files is 0xe4 bytes, where an additional control dword with value 0 has been\r\nadded.\r\nVersion 1.3\r\nIn this version has been added a field called “svc” in the json config. This field\r\ncontains a list of services to delete, as we can see in the figure.\r\nFurthermore to verify if the victim is from a “friend” country, in addition to check of\r\nlanguage of keyboard has been added checks on the default language and on system\r\nlanguage, as we can see in the figure.\r\nIt uses WQL to determinate the creation of processes:\r\nSELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'\r\nFurthermore it uses a new key of registry instead of “REcfg”:\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 19 of 23\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\QtProject\\OrganizationDefaults\r\nInside to QtProject\\OrganizationDefaults are saved the following values:\r\npvg\r\nsxsP\r\nBDDC8\r\nf7gVD7\r\nXu7Nnkd\r\nsMMnxpgk\r\nTable of comparison for the version 1.2 and 1.3:\r\nVers. 1.2: REcfg Vers. 1.3a: QtProject\\OrganizationDefaults\r\nsub_key pvg\r\npk_key sxsP\r\nsk_key BDDC8\r\n0_key f7gVD7\r\nrnd_ext Xu7Nnkd\r\nstat sMMnxpgk\r\nTelemetry\r\nThe trend of Sodinokibi malware campaigns has been monitored between April and July 2019.\r\nIn the table below we can see the campaigns monitored:\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 20 of 23\n\nThe fields from the table are the following:\r\n1. Campaign Date\r\n2. Type of Campaign\r\n3. PK (public key inside the JSON configuration)\r\n4. PID present in JSON configuration\r\n5. SUB present in JSON configuration\r\n6. Sodinokibi version\r\n7. Date the master file of Sodinokibi is compiled\r\nPID field identify the group has acquired the service Sodinokibi ransomware (RAAS). SUB  field probably\r\nidentify “SUBSCRIPTION” that is the period of validity of the service.\r\nThe pairs of PID \u0026 SUB with identical value have the same public key (PK), how we can see in the case of PID:7\r\nand SUB: 3.\r\nThe campaign with PID 7 was the first to use Oracle Weblogic vulnerability to distribute the ransomware on 25\r\nApril 2019 (SUB:3), the same group seems to be associated with the Watering Hole attack campaign to distributor\r\nof WinRar in Italy on 19thJune 2019 with a new SUB: 474.\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 21 of 23\n\nAs we can see, the group with PID: 7 has purchased more subscription periods. Using the three parameters PID-SUB-PK, one can identify the campaign associated with the same actor.\r\nUntil early July of this year, the PID 40 was the highest value, this suggests that there are at least 40different\r\ngroups. The highest value of SUB was 607 which could indicate that at least 607 subscription periods have been\r\npurchased.\r\nWe compare in the graphic here below, the date of compilation of the malware and the SUB value present in json\r\nconfiguration. It is possible to see how the curve growth strongly suggesting  that the Sodinokibi CryptoMalware\r\nis distributed with the “as-a-service” method.\r\nConclusion\r\nThe authors of Sodinokibi are individuals with a certain level of technical knowledge and probably this\r\nransomware is not their first creation and it is actively developed.\r\nThis project is developed to be distributed with model RaaS (Ransomware-as-a-Service).\r\nSodinokibi ransomware uses for file encryption the algorithm Salsa20 with a key exchange method based on\r\nECDH.\r\nSodinokibi operation spreads wide in the last month, through a different methods to distribute the ransomware via\r\nMalspam, RigEK, RDP attacks, ecc. The attackers with the recent decision to shutting down GandCrab\r\nRansomware operation left a hole, that seem to exploited by Sodinokibi.\r\nIOC\r\nMD5:\r\nDB42F17991A7BA10218649B978D78674\r\nE713658B666FF04C9863EBECB458F174\r\n16863F6727BC5DD44891678EBCA492D2\r\nFD3F3AF76D31D8F134E2E02463D89D29\r\n6E543C13594F987A6051BC3D9456499F\r\nCCFDE149220E87E97198C23FB8115D5A\r\nFB68A02333431394A9A0CDBFF3717B24\r\n692870E1445E372DDD82AEDD2D43F9B8\r\nDB6D3A460DEDE97CA7E8C5FBFAEF3A72\r\n48A673157DA3940244CE0DFB3ECB58E9\r\n79F2341510D9FB5291AEFC3E69D18253\r\n3DF42FA9732864A9755F5C8FB7ED456A\r\nURL:\r\naplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion\r\ndecryptor[.]top\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 22 of 23\n\nAuthors: Gianfranco Tonello, Michele Zuin and Federico Girotto\r\nTG Soft's Research Centre (C.R.A.M.)\r\nAny information published on our site may be used and published on other websites, blogs, forums, facebook\r\nand/or in any other form both in paper and electronic form as long as the source is always and in any case cited\r\nexplicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web\r\npage from which textual content, ideas and / or images have been extrapolated.\r\nIt will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of\r\nsummary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by\r\nTG Soft of which we point out the direct link to the original information: [direct clickable link]”\r\nSource: https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nhttps://www.tgsoft.it/english/news_archivio_eng.asp?id=1004\r\nPage 23 of 23\n\nThe campaign April 2019 (SUB:3), with PID 7 the same was the first group seems to use Oracle Weblogic to be associated vulnerability with the Watering to distribute the Hole attack ransomware campaign to on 25 distributor\nof WinRar in Italy on 19th June 2019 with a new SUB: 474.\n   Page 21 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004"
	],
	"report_names": [
		"news_archivio_eng.asp?id=1004"
	],
	"threat_actors": [
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775791768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54a3a16324ee1a160144c4cf65ee41fca1f9db72.pdf",
		"text": "https://archive.orkl.eu/54a3a16324ee1a160144c4cf65ee41fca1f9db72.txt",
		"img": "https://archive.orkl.eu/54a3a16324ee1a160144c4cf65ee41fca1f9db72.jpg"
	}
}