What is Sodinokibi Ransomware
Sodinokibi Ransomware (a.k.a. BlueBackground Ransomware or REvil Ransomware) is disruptive cryptovirus, that encrypts user data using Salsa20 algorithm with the ECDH-based key exchange method, and then requires a ransom around 0.475–0.950 BTC to return the files. In other words, if the amount is set at $2500, then without paying within 7 days, it doubles to $5000. It appeared in April 2019 for the first time. Since then, security experts distinguish the following versions:
- Sodinokibi Ransomware (initial version 1.0 from 23rd of April 2019)
- Sodinokibi Ransomware (version 1.0b from 27th of April 2019)
- Sodinokibi Ransomware (version 1.0c from 29th of April 2019)
- Sodinokibi 1.1 Ransomware (from 5th of May 2019)
- Sodinokibi 1.2 Ransomware (from 10th of June 2019)
- Sodinokibi Ransomware (unclassified version with a modified ransom note from 8th of July 2019)
In the beginning, up to most recent versions, malware used following template for ransom note: {random-alphanumerical-sequence}-readme.txt, where {random-alphanumerical-sequence} is randomly generated set of letters and numbers used for users identification. This set is also used to modify extensions of affected files. Then, the virus started to utilize the following pattern: {random-alphanumerical-sequence}–HOW-TO-DECRYPT.txt. In the box below you can see an example of such file.
---=== Welcome. Again. ===---
 [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 518ftbt4ym.
 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
 [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
 To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
 If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
 [+] How to get access on website? [+] You have two ways:
 1) [Recommended] Using a TOR browser!
 a) Download and install TOR browser from this site: https://torproject.org/
 b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9343467A488841AC
 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
 a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
 b) Open our secondary website: http://decryptor.top/9343467A488841AC
 Warning: secondary website can be blocked, thats why first variant much better and more available.
 When you open our website, put the following data in the input form:
 Key:
 {random-id}
 Extension name:
 {random-alphanumerical-set}
 -----------------------------------------------------------------------------------------
 !!! DANGER !!!
 DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
 !!! !!! !!!
 ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
 !!! !!! !!!So, as we previously said, each computer gets unique individual file extension. Another indicator of infection can also be called an unpleasant blue background, which replaces the desktop wallpaper. In the earlier version, there was no informative inscription on it. Later an inscription appeared indicating that the note file should be read. Sodinokibi Ransomware removes shadow copies of files, disables repair features of Windows during the boot phase with the command:
C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Inside the JSON configuration file is a list of 1079 domains. Sodinokibi establishes a connection with each domain of this list by generating a URL using a domain generation algorithm, although, they are not Sodinokibi servers. Follow the detailed guide on this page to remove Sodinokibi Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.
- Download Sodinokibi Ransomware Removal Tool
- Get decryption tool for encrypted files
- Recover encrypted files with Stellar Phoenix Data Recovery Pro
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Sodinokibi Ransomware
How Sodinokibi Ransomware infected your PC
Sodinokibi Ransomware is distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, botnets, exploits (RigEK), malicious advertisements, web injections, fake updates, repackaged and infected installers. Moreover, it exploits vulnerabilities in Oracle WebLogic and conducts a “Watering hole” attack on organizations and online publications. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use Norton Antivirus, SpyHunter 5, BitDefender or any reputable antivirus program.
Download Removal Tool
To remove Sodinokibi Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders, and registry keys of Sodinokibi Ransomware. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Sodinokibi Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Sodinokibi Ransomware and prevents future infections by similar viruses.
How to remove Sodinokibi Ransomware manually
It is not recommended to remove Sodinokibi Ransomware manually, for safer solution use Removal Tools instead.
Sodinokibi Ransomware files:
 sodinokibi.exe
 {random-alphanumerical-sequence}-readme.txt
 {random-alphanumerical-sequence}--HOW-TO-DECRYPT.txt
 {random}.lock
 
Sodinokibi Ransomware registry keys:
 no information
 
How to decrypt and restore your files
Use automated decryptors

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt your files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with Sodinokibi Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore your files

- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Sodinokibi Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.
2. Back up your files

Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.
 
  
 









 
  
  
  
  
 

