Win32/Filecoder.Sodinokibi [Threat Name] go to Threat

Win32/Filecoder.Sodinokibi.N [Threat Variant Name]

Category trojan
Size 912264 B
Aliases Ransom:Win32/Sodinokibi (Microsoft)
  Troj/Ransom-GIQ (Sophos)
  Trojan.Encoder.34110 (Dr.Web)
Short description

Win32/Filecoder.Sodinokibi.N is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following files:

  • C:\­Windows\­mpsvc.dll (808328 B, Win32/Filecoder.Sodinokibi.N trojan)
  • C:\­Windows\­MsMpEng.exe (22224 B)

The trojan launches the following processes:

  • C:\­Windows\­MsMpEng.exe (22224 B)
Payload information

Win32/Filecoder.Sodinokibi.N is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • $recycle.bin
  • $windows.~bt
  • $windows.~ws
  • appdata
  • application data
  • boot
  • google
  • intel
  • mozilla
  • msocache
  • perflogs
  • program files
  • program files (x86)
  • programdata
  • system volume information
  • tor browser
  • windows
  • windows.old

It avoids files with the following filenames:

  • autorun.inf
  • boot.ini
  • bootfont.bin
  • bootsect.bak
  • desktop.ini
  • iconcache.db
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • thumbs.db

It avoids files with the following extensions:

  • .386
  • .adv
  • .ani
  • .bat
  • .bin
  • .cab
  • .cmd
  • .com
  • .cpl
  • .cur
  • .deskthemepack
  • .diagcab
  • .diagcfg
  • .diagpkg
  • .dll
  • .drv
  • .exe
  • .hlp
  • .hta
  • .icl
  • .icns
  • .ico
  • .ics
  • .idx
  • .key
  • .ldf
  • .lnk
  • .lock
  • .mod
  • .mpa
  • .msc
  • .msi
  • .msp
  • .msstyles
  • .msu
  • .nls
  • .nomedia
  • .ocx
  • .prf
  • .ps1
  • .rom
  • .rtp
  • .scr
  • .shs
  • .spl
  • .sys
  • .theme
  • .themepack
  • .wpx

The trojan encrypts the file content.


The curve25519, Salsa20 encryption algorithm is used.


An additional .%variable% extension is appended.


The following file is dropped in the same folder:

  • %variable%-readme.txt

It contains the following text:

---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension %redacted%. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: %redacted% b) Open our website: %redacted% 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: %redacted% Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: %redacted% ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

A string with variable content is used instead of %variable% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan may delete files stored in the following folders:

  • $Recycle.Bin

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­BlackLivesMatter]
    • "96la6"="%data%"
    • "Ed7"="%data%"
    • "JmfOBvhb"="%data%"
    • "QleQ"="%data%"
    • "Ucr1RB"="%data%"
    • "wJWsTYE"="%data%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­BlackLivesMatter]
    • "96la6"="%data%"
    • "Ed7"="%data%"
    • "JmfOBvhb"="%data%"
    • "QleQ"="%data%"
    • "Ucr1RB"="%data%"
    • "wJWsTYE"="%data%"

The trojan may terminate specific running processes.


The following services are disabled:

  • backup
  • memtas
  • mepocs
  • sophos
  • sql
  • svc$
  • veeam
  • vss

The trojan may execute the following commands:

  • netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

The trojan removes all of the volume shadow copies in order to prevent restoring the original files.


This file/image is set as a wallpaper.

The trojan may display the following message:

When files encryption is finished, the trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.