what is sodinokibi ransomware and how to protect against it

The Sodinokibi ransomware package is a Ransomware-as-a-Service system. There have been a few ransomware viruses like this before, and Sodinokibi is currently the only RaaS system operating

Businesses are familiar with the Software-as-a-Service concept (SaaS). In this cloud service model, subscribers access the software they want without hosting it on their servers. The package usually also includes storage space for operational data.

SaaS is an ideal model for hacker teams that want to collaborate with other groups without sharing their code. Instead of sending their programs over o the other team, the creating hackers set up a portal. This hosts the virus package and runs it on demand once the user enters parameters for the attack, such as a file with a list of emails to mail out to.

The RaaS model isn’t quite the same as SaaS because it isn’t open to all. The owning hacker group looks for partners among groups who want to do the legwork and research targets. The developers then gave other teams access to their RaaS for one specific and agreed to the attack campaign. When the attack occurs, the two groups share the payment that is received.

RaaS attacks

Many ransomware attack campaigns involve sending hundreds of thousands of emails with an installer disguised in a document as an attachment. Hackers running these schemes are playing a numbers game. They figure that a certain percentage of recipients will believe the scam in the email message. A percentage of that number will open the attachment and activate the installer. Of those victims that get infected, a portion will decide to pay the ransom.

Mass mailshot ransomware attacks are usually aimed at the general public and ask for a relatively low ransom – sometimes as low as $10. Ransomware campaigns aimed at large corporations need to be a lot more sophisticated. They take a lot of time to set up and involve doxing an individual who works in the business. Hackers working on these campaigns can take months to investigate the organization and the people who work there. They map the organizational hierarchy, looking for a target that will have elevated access privileges.

Targeted ransomware campaigns take a lot of time and require specialist skills. However, they also reap very high rewards per sting that far exceed the amount of money that can be made from scamming many people for a small amount of money per hit.

The Sodinokibi ransomware is used for targeted, high-value attacks. It includes sophisticated software supplied by experienced programmers in one team with several specialized social profiling con artist groups. Each team focuses on its core skill.

Where does Sodionokibi ransomware come from?

Sodinokibi is also known as Ransom Evil and REvil. The hacker team behind it is identified with the same name. Cybersecurity analysts invent these names. The team itself does no identify itself in its attacks.

The REvil group is one of the lesser-known hacker teams. One thing that is known about it is that the group is based in Russia. Cybersecurity analysts suspect that the REvil group is a relaunch of the GandCrab hacker team. This is because REvil emerged in April 2019, just before GandCrab announced its dissolution. The GandCrab hacker team is judged to be responsible for about 40 percent of all ransomware infections in the world to date. They were the leading experts in the field, and the exceptional skills of the Sodinokibi group is another indication that they were once members of GandCrab.

The Russian military intelligence, the GRU, works with several hacker teams to produce weapons for its hybrid warfare strategy. NotPetya, developed by Sandworm, and BadRabbit, from the BlackEnergy group, are two examples of this formula, which both produced ransom attack campaigns to undermine the security of Ukraine.

Sodinokibi ransomware is not part of this hybrid warfare syndicate. It is the product of an independent hacker group that is motivated by profit. However, the software displays some typical traits of Russian malware, which is how analysts were able to settle on a likely source location for the ransomware.

The encryption program embedded in the software package won’t operate on targets if it detects that the system language is set to Russian or one of the languages of former Soviet Union states. This exception is very typical of Russian-produced malware. This is probably less out of patriotism and more due to pragmatism. The Russian authorities rarely prosecute hackers as long as they don’t launch attacks within Russia or one of its allies.

How does a Sodinokibi attack work?

The code for the Sodinokibi ransomware is very well written, and its structure makes it difficult to detect. Unlike most ransomware, the entire program is self-contained – it doesn’t call APIs on distant servers. This removes its susceptibility to many of the trait-seeking AVs. The system requires Admin privileges to run, which is why attackers need to target its delivery into a specific user account within a business.

The target user is enticed by a range of phishing emails, each containing a link purporting to be for a necessary download. Attacks are usually well researched, and each email is written individually, so the topic of its content could be on any subject. The initial download is written in JavaScript, and when the user double-clicks on it, the program executes with WScript.

As JavaScript runs from the code rather than a compiled version, Sodinokibi code is scrambled and decoded in stages as the program runs. There are also several PowerShell routines in the code, which are also scrambled. The system includes processes to duck User Access Control checks (UAC).

The ransomware exploits an Oracle WebLogic Server vulnerability to get onto a computer. Once it is operating on one device on the network, it can move laterally through the transport services of WebLogic Server to other endpoints without the need for credentials specific to those devices. The use of WebLogic Server to manage websites also makes those systems vulnerable to ransomware. The encryption process also seeks out backup servers and encrypts those as well.

Data files are encrypted with the Salsa20 cipher, and communications with the ransomware control server are protected by AES encryption. The ransomware also extracts data from files and transfers it to the Sodinokibi servers. Part of the threat issued by the hackers is that they will publish discovered data on their website, which is called Happy Blog, if the ransom is not paid.

The Sodinokibi ransom

Cybersecurity analysts report that the Sodinokibi ransomware demands a payment of 0.32806964 Bitcoin, which is about $11,800. However, individual ransom demands made with attacks on high-profile legal and entertainment businesses have been much higher. The group claimed that they expected to earn $100 million in 2020.

If the group doesn’t do a deal to get the ransom out of a target, it will attempt to sell the stolen data to others, leaving the victim with locked files that cannot be accessed. This occurred in May 2020, when the group claimed to have attacked President Donald Trump. They demanded $42 million but didn’t get it, so they sold the reaped data to someone else for an undisclosed sum.

Lady Gaga refused to pay a ransom in May 2020 for documents relating to her that were encrypted in the computers of her legal advisers. The group released those documents to the public. A threat to release documents about Madonna in the same month was called off. Possibly, the singer paid the ransom at the last minute.

In 2021, the Sodinokibi group launched a series of attacks on large organizations, including one on the computer manufacturer, Acer. The group demanded $50 million rising to $100 million after the initial deadline was missed. The group also attacked Quanta Computer, a supplier of Apple, and demanded $50 million. In May 2021, Brazilian meat processing enterprise JBS S.A. paid a ransom of $11 million.

Remember, the Sodinokibi group doesn’t attack anyone directly. Other cybercriminals do the dirty work, and Sodinokibi gets a cut for supplying the ransomware.

Defending against Sodinokibi ransomware

The Sodinokibi ransomware is still in operation. This is a RaaS system that can be used as a tool by other hackers. There are many hackers around the world that have social profiling skills but no programming capabilities. The Sodinokibi ransomware is very well written and can avoid detection by traditional antivirus systems.

Sodinokibi ransomware downloads onto Windows and needs Administrator privileges. It is only a threat to businesses running Oracle WebLogic Server. Suppose you allow Administrator access to all users on their endpoints. In that case, you make your entire system vulnerable because the Sodinokibi ransomware only needs heightened privileges on the first computer it infects. From there, it can get into other devices without having high access rights to those endpoints.

The first defense you should implement is to educate users against following links in emails or downloading attachments. You should also look at ways to restrict Administrator privileges to all users, so only IT support technicians have that access level.

If you don’t run Oracle WebLogic Server, you don’t need to worry about Sodinokibi ransomware. However, this is not the only ransomware in circulation, so you will need to install intelligent security systems to protect against them.

The best tools to defend against Sodinokibi ransomware

In almost every case, ransomware gets onto your system through user actions. Users get tricked into downloading or installing this malware category. So, the tools you need to protect against this type of malware are endpoint detection and response systems.

The data about clients and individuals is always a target for hackers. You need specialized software to protect this information from tampering or theft.

Here are two excellent security packages that you should consider.

1. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

OPNsense - OpenVPNClient - Manual Outbound NAT - Click Plus

ManageEngine Vulnerability Manager Plus looks for system configuration weaknesses and outdated software. While some, but not all of the configuration problems will be dealt with automatically, the ManageEngine system does address outdated software automatically with its built-in patch manager. It is this process that protects your company against Sodinokibi ransomware.

Key Features:

  • Spots configuration weaknesses
  • Fixes some problems
  • Produces a to-do list for manual remediation
  • Identifies out of date software
  • Automatically patches outdated software

Why do we recommend it?

ManageEngine Vulnerability Manager Plus offers preventative security scanning of endpoints running Windows, macOS, and Linux. The Sodinokibi ransomware only attacks Oracle WebLogic Server, which runs on Windows, Linux, and Unix. The ManageEngine system provides patching for Oracle software, which will close down the opportunities for Sodinokibi.

ManageEngine produces a standalone patch manager, called Patch Manager Plus. However, that patching system only operates on Windows and macOS. The Sodinokibi ransomware downloads onto Windows but that doesn’t protect your Linux-based WebLogic Server because the malware can operate across the network. So, in order to ensure that your Linux software is fully up to date, you need to get Vulnerability Manager Plus rather than Patch Manager Plus. 

ManageEngine gathers all patches for operating systems and more than 500 software packages and services. These collected patches are validated and stored in a library. Each implementation of Vulnerability Manager Plus compiles a software inventory for each endpoint on the network. This list includes the version number of each package, which indicates its patch status.

The patch manager works down the software inventory and refers to the ManageEngine patch library. If the patch version is higher than the software package version, the tool downloads the patch installer and schedules it for rollout to all relevant endpoints. You need to set up the patch manager to give it a calendar of maintenance windows. The patches will be applied at the next available window.

Who is it recommended for?

Every company with a fleet of endpoints needs a patch manager and getting a vulnerability manager is increasingly becoming essential as well. This package gives you automated system hardening that will protect your company against all types of malware, not just ransomware. Luck favors the prepared. 


  • Preventative scanning for system hardening
  • Automatically updates all software and operating systems
  • Operates on endpoints running Windows macOS, and Linux
  • Provides a patch testing platform
  • Activity logging for compliance reporting


  • No cloud option

ManageEngine Vulnerability Manager Plus runs on Windows Server. There is a Free edition available that will manage 20 workstations and five servers. The two paid editions are the Professional edition for a LAN and the Enterprise edition for multiple site coverage. You can get the Professional edition on a 30-day free trial.

ManageEngine Vulnerability Manager Plus Download a 30-day FREE Trial

2. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response package that includes modules installed on each endpoint plus a cloud-based monitoring system. The two halves of the system interact with the device agents uploading activity data and the controller sending back threat intelligence and response commands.

Key Features:

  • On-device antivirus
  • Cloud-based data consolidation
  • Dual-level threat hunting
  • Infected device quarantine
  • Private threat intelligence

Why do we recommend it?

CrowdStrike Falcon Insight is an addition to an on-device antivirus system. The AV is called Prevent and it needs to be installed on each endpoint to provide constant protection from malware, such as ransomware. As well as looking for unauthorized software, the Prevent system will upload activity reports and logs to the cloud-based Insight module. This implements consolidated threat hunting for all endpoints.

The endpoint agent is a substantial security package. It can continue to protect an endpoint even if it is cut off from the network and the Internet. This endpoint protection system is also available as a standalone package, called CrowdStrike Falcon Prevent.

The coordinated monitoring system of Insight is helpful for protection against Sodinokibi and other ransomware that can spread. As soon as one device agent spots suspicious activities, the agents on all other devices are put on high alert. The system can implement threat mitigation, including automated responses that can suspend a user account and isolate a device from the network to stop the ransomware from spreading.

The cloud-based Insight controller is also fed threat intelligence from CrowdStrike, passed on in algorithm updates to the endpoint agents. The security system doesn’t rely on a list of malware files to look out for; instead, it searches all activity for suspicious behavior. It is ideal for spotting zero-day attacks.

Who is it recommended for?

While local threat hunting is constant and can operate independently, the cloud-based system offers more powerful threat detection. This dual strategy ensures continuity of protection if the device gets disconnected from the network and also spreads information of an attack on one endpoint to all computers on the network.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc.)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Powered by a backend intelligence platform – ideal for identifying new threats


  • Would benefit from a longer trial period

You can get a 15-day free trial of Falcon Prevent.