{
	"id": "7784bae1-7ed6-42cf-adea-e8e6e7e77fe5",
	"created_at": "2026-04-06T00:22:38.907162Z",
	"updated_at": "2026-04-10T13:12:06.14631Z",
	"deleted_at": null,
	"sha1_hash": "76de865d43f5ec169ceb863cb5457472d630a022",
	"title": "Examining a Sodinokibi Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45163,
	"plain_text": "Examining a Sodinokibi Attack\r\nBy By: Trend Micro Research Jan 26, 2021 Read time: 2 min (481 words)\r\nPublished: 2021-01-26 · Archived: 2026-04-05 20:22:33 UTC\r\nSodinokibi was first detected in April 2019 and linked to the retired GandCrab. From that point\r\non, Sodinokibi launched several high-profile attacks that continued throughout 2020, thus making a name for itself\r\nas one of the ransomware families that should be watched out for. Here we describe Sodinokibi’s typical attack\r\nprocess.\r\nTechnical analysis \r\nThe threat actors behind Sodinokibi typically hire a variety of affiliates for their initial access. Their attacks often\r\nbegin with familiar techniques like malspam emails with spear-phishing links or attachments, RDP access that\r\nuses valid accounts, compromised websites, and exploits. They also use techniques that indicate their targeted\r\napproach.\r\nInitial access \r\nWe observed the use of several of these initial access techniques. For example, as with campaigns, we saw the use\r\nof the CVE-2019-2725 vulnerability and observed an instance where Sodinokibi was loaded in the memory\r\nof PowerShell through reflective-load instead of binary execution. We also saw malspam that led to the use\r\nof a macro to download and execute the malware.  \r\nCVE-2018-13379 and CVE-2019-11510 are also used by the malware, as well as compromised valid accounts.\r\nThis allows the threat actors to drop and execute other components like the anti-antivirus, exfiltration tools, and\r\nfinally Sodinokibi itself. \r\nLateral movement and evasion tactics \r\nSodinokibi, like many ransomware families known today, have a targeted approach with regard to their\r\ncampaigns. In line with this, we observed the use of RDP and PsExec for lateral movement — a sign of targeted\r\nattacks — to drop and execute other components and the ransomware itself.  \r\nWe also observed that PC Hunter and Process Hacker are used to terminate services or processes, especially those\r\nservices and processes that are related to antivirus software. \r\nOnce the system is infected, Sodinokibi sends a report and system information to its command-and-control\r\n(C\u0026C) server. It generates a pseudorandom URL based on a fixed format and generation to add to a\r\nlist of domains in its configuration.  \r\nSecurity recommendations \r\nhttps://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html\r\nPage 1 of 2\n\nSodinokibi has been known to target high-profile entities and uses notable evasive tactics.\r\nOrganizations should, therefore, be wary of its techniques. For now, here are some best practices to prevent\r\nsimilar ransomware attacks:\r\nAvoid opening unverified emails or clicking on their embedded links, as these can start the ransomware\r\ninstallation process. \r\nBack up your important files using the 3-2-1 rule: Create three backup copies on two different file formats,\r\nwith one of the backups in a separate location. \r\nRegularly update software, programs, and applications, to ensure that your apps are current, with the latest\r\nprotections from new vulnerabilities.\r\nIf you believe that your organization has been affected by this campaign, visit this page for the available Trend\r\nMicro solutions that can help detect and mitigate any risks from this campaign. \r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection name\r\n04ae146176632509ab5239d0ec8f2447d7223090 Ransom.Win32.SODINOKIBI.MRA\r\n10682d08a18715a79ee23b58fdb6ee44c4e28c61 Ransom.Win32.SODINOKIB.SMTH    \r\n169abe89f4eab84275c88890460a655d647e5966 Ransom.Win32.SODINOKIB.SMTH  \r\n20d90f04dcc07e1faa09aa1550f343c9472f7ec6 Ransom.Win32.SODINOKIB.SMTH    \r\n2a75db73888c77e48b77b72d3efb33ab53ccb754 Ransom.Win32.SODINOKIBI.AUWUJDES\r\n58d835c3d204d012ee5a4e3c05a06e60b4 316d0e Ransom.Win32.SODINOKIB.SMTH    \r\nCe0c8814d7630f8636ffd73f8408a36dc0e1ca4d Ransom.Win32.SODINOKIB.SMTH\r\nSource: https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html\r\nPage 2 of 2\n\n20d90f04dcc07e1faa09aa1550f343c9472f7ec6 2a75db73888c77e48b77b72d3efb33ab53ccb754  Ransom.Win32.SODINOKIB.SMTH Ransom.Win32.SODINOKIBI.AUWUJDES\n58d835c3d204d012ee5a4e3c05a06e60b4 316d0e Ransom.Win32.SODINOKIB.SMTH\nCe0c8814d7630f8636ffd73f8408a36dc0e1ca4d  Ransom.Win32.SODINOKIB.SMTH\nSource: https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html  \n Page 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html"
	],
	"report_names": [
		"sodinokibi-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76de865d43f5ec169ceb863cb5457472d630a022.pdf",
		"text": "https://archive.orkl.eu/76de865d43f5ec169ceb863cb5457472d630a022.txt",
		"img": "https://archive.orkl.eu/76de865d43f5ec169ceb863cb5457472d630a022.jpg"
	}
}