REvil Sodinokibi Ransomware: DataBreach Analysis

Revil Sodinokibi Ransomware: Introduction

Revil Sodinokibi : Swascan’s Cyber Incident Response Team has observed and analysed the new ransomware family known as Sodinokibi Ransomware. The ransomware in question, also called REvil, is to be active at least as of April 2019.

Revil or Sodinokibi is one of the most active families of this type of malware, in particular through ransomware as a service (RaaS).

In practice, the Revil Group does not carry out attacks straight away.

It makes infrastructure, tools, ransomware and related code available to criminal third parties.

Under Ransomware Attack? Contact us!

The attacks are carried out by ‘clients’ – also called affiliates – and the criminal group REvil receives a percentage of the ransoms extorted from the victims (estimated at 20-30%).

This criminal ‘business model’ has allowed the spread and use of this ransomware to increase.

It is no coincidence that the Criminal Hacker group REvil claimed that the activity secured an illicit profit of more than $100 million this year alone and in 2019 an illicit profit of 8% more than the famous Ryuk ransomware despite Sodinokibi only appearing in the second quarter of last year.

Revil Sodinokibi Ransomware: Summary

The REvil Sodinokibi ransomware was intercepted and identified for the first time in April 2019. It has similarities, on a tactical level, with the GandCrab ransomware. The similarity is determined by the use of similar code.

The particularities of this ransomware are:

  1. Information exfiltration
  2. Information encryption
  3. Configurability; this implies the possibility of compiling, customising and optimising the payload.
  4. Publication of exfiltrated files in a dedicated blog in case of non-payment of the ransom.
Sodinokibi Ransomware

The blog where the stolen data is published

Since June, the criminal hackers of Revil have in fact created a ‘public’ auction of critical information, in terms of business and/or privacy, that has been exfiltrated. This escalation is a new lever to pressure victims into paying the ransom and at the same time a new illicit ‘profit channel’ for cybercriminals.

Sodinokibi Ransomware: Technical Details

Revil Ransomware: Decrypt files

Files encrypted by the REvil Sodinokibi ransomware are not decryptable. At the moment, there are no decryptors that can restore data in plain text. In particular, Revil uses elliptically curved Diffie-Hellman keys. A cryptographic algorithm with shorter but more effective keys.

Sodinokibi creates two different public keys, one as part of the JSON configuration and another embedded in the binary itself. These public keys will be used to encrypt the locally generated private key.

Revil Sodinokibi: Attack Vectors

The Revil Sodinokibi ransomware gains access to the target infrastructure through:

  • Exploitation of known vulnerabilities
  • Social Engineering and specifically phishing campaigns,

Specifically, some analyses show that the main vectors are compromised RDP sessions (65%), phishing (16%) and software vulnerabilities (8%).

Revil Sodinokibi: Exploiting vulnerabilities

Regarding the exploitation of vulnerabilities in 2019, the CVE-2019-2725 vulnerability related to Oracle Weblogic (CVE-2019-2725) was widely exploited.

In recent months, the main attack vectors are:

  • Exposed RDP systems
  • Fortinet VPN CVE-2018-13379

Revil: Early Warning

Cyber Security Framework systems equipped with Soc as a Service systems have the possibility of intercepting any intrusion attempts in advance. In the absence of an adequate corporate Cyber Security Framework, one of the signals of intrusion by Revil Sodinokibi is to detect the presence of terminals configured in:

  • Azerbaijani Latin
  • Georgian
  • Tartar
  • Romanian
  • Azeri
  • Kazakh
  • Kyrgyzstan
  • Turkmen
  • Uzbek Latin
  • Uzbek
  • Ukrainian
  • Russian
  • Belarusian
  • Tajik
  • Armenian
  • Syriac
  • Syrian Arab

In this case, it is strongly recommended to implement a digital investigation activity through an Incident Response Team that aims to identify the presence of pyload and malicious artefacts within the corporate network.

Sodinokibi Ransomware: the ransom request

Sodinokibi Ransomware

The request

Revil Sodinokibi:Exfiltrated Information – Data Breach

As indicated above REvil Sodinobiki performs data exfiltration.

The ransomware not only encrypts and/or deletes the backup files directly, but also exfiltrates company data directly.  The exfiltration takes place before encryption takes place. In particular, Sodinobiki also implements sophisticated code obfuscation techniques to evade detection by antivirus software.

Specifically, Revil exfiltrates the following data:

  • Files and documents
  • Systems architecture
  • User name
  • Computer name
  • Workgroup
  • Operating system
  • Processor information

Data encryption

Sodinokibi is ransomware that encrypts all files on local drives except those listed in their configuration file.

File extension: .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif .psd. .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h,, php, .asp, .rb, .jpg, .jpeg, .raw, .tif, .png.

Execution and Activities

Having gained access to the victim’s systems, it adds the following processes:

powershell.exe -e {base-64 encoded command}

It also terminates and blocks the following services:

  • mepocs
  • vss
  • memtas
  • sql
  • veeam
  • sophos
  • backup
  • svc$

On infected systems it also blocks and terminates:

  • winword
  • ocssd
  • sql
  • encsvc
  • oracle
  • outlook
  • thebat
  • tbirdconfig
  • powerpnt
  • onenote
  • dbeng50
  • dbsnmp
  • ocomm
  • xfssvccon
  • mspub
  • msaccess
  • infopath
  • visio
  • steam
  • isqlplussvc
  • wordpad
  • agntsvc
  • excel
  • synctime
  • mydesktopservice
  • ocautoupds
  • mydesktopqos
  • thunderbird
  • firefox
  • sqbcoreservice

Revil Sodinokibi: Geographical Distribution

Sodinokibi’s target victims are geographically distributed with a concentration in the US, India and Europe.

Sodinokibi Ransomware

It is highlighted and pointed out that Eastern European countries are not the focus of attention.

Revil Sodinokibi: IoC

Below are the IoCs of the ransowmare Sodikinobi :

Sodinobiki Ransomware


  • MD5   fb68a02333431394a9a0cdbff3717b24
  • SHA-1            1399bf98a509adb07663476dee7f9fee571e09f3
  • SHA-256       0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d


Filled IoC

The version of the Revil ransomware handled and analysed by Swascan during a DataBreach was found to be a customised variant of the ransomware in question. Specifically:


  • MD5     f3b181a01ab21edca3ec193741676dec
  • SHA-1   318021d9f68b87de16e7ddf2a19ea08031fc4af2
  • SHA-256           a77a8f20f8fc1ba5435cbf99d3e11b98cb6c3e9d93605070878a3476761127ae

Payload Analysis

Analisi Minacce

Threat Identifiers (15 rules, 26 matches)

5/5AntivirusMalicious content was detected by heuristic scan3
5/5PersistenceWrites to Master Boot Record (MBR)1
5/5ReputationKnown malicious file1
5/5YARAMalicious content matched by YARA rules1
4/5User Data ModificationModifies content of files1Ransomware
4/5User Data ModificationRenames files1Ransomware
3/5Network ConnectionConnects to a CMS hoster1
2/5System ModificationChanges the desktop wallpaper.1
2/5Anti AnalysisTries to detect virtual machine1
1/5Hide TracksWrites an unusually large amount of data to the registry1
1/5MutexCreates mutex1
1/5System ModificationModifies application directory3
1/5System ModificationCreates an unusually large number of files1
1/5Network ConnectionConnects to HTTPS server8
0/5DiscoveryEnumerates running processes1


Network Analysis

Total Sent: 6.31 KB
Total Received: 15.08 KB
ports: 443
contacted IP addresses
URLs extracted
files downloaded
malicious hosts detected


DNS requests for domains
nameserver contacted
total requests returned errors


URLs contacted, servers
sessions, sending 6.31 KB, receiving 15.08 KB

Hosts di Destinazione

Hosts Destinazione:


Virtual Machine Information

Architecturex86 64-bit
Operating SystemWindows 7
Kernel Version6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Network Scheme NameLocal Gateway
Network Config NameLocal Gateway

Analyzer Information

Analyzer Version3.2.2
Dynamic Engine Version3.2.2 / 2020-06-03 06:06 (UTC+2)
Static Engine Version1.3.0 / 2020-06-03 08:06 (UTC+2)
Local AV VersionAVCORE v2.1 Linux/x86_64 (January 14, 2020)
Local AV Database Update Release Date2020-12-20 02:51:49+00:00
VTI Ruleset Version3.6
YARA Built-in Ruleset Version1.5
Analysis Report Layout Version7

Software Information

Adobe Acrobat Reader Version10.0.0
Microsoft Office2010
Microsoft Office Version14.0.4762.1000
Internet Explorer Version8.0.7601.17514
Chrome Version58.0.3029.110
Firefox Version25.0
Flash Version11.2.202.233
Java Version7.0.450.18

System Information

Sample DirectoryC:\Users\5p5NrGJn0jS HALPmcxz\Desktop
Computer NameXDUWTFONO
User Name5p5NrGJn0jS HALPmcxz
User ProfileC:\Users\5p5NrGJn0jS HALPmcxz
Temp DirectoryC:\Users\5P5NRG~1\AppData\Local\Temp
System RootC:\Windows

How to defend yourself

It is possible to protect and defend one’s infrastructure from ransomware attacks through the adoption of a proper Cyber Security Framework.

Preventive security

Technological risk analysis:

Human Risk Analysis

Organisational Risk Analysis

Proactive Safety

Predictive Security


Cyber Security News 26/12/2020
Cyber Security News 27/12/2020

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.