Ransom.Sodinokibi is Malwarebytes’ detection name for a family of Ransomware that targets Windows systems. Ransom.Sodinokibi encrypts important files and asks for a ransom to decrypt them.
The first thing users of affected systems notice is usually the ransom note when the encryption has altready finished. The ransom instructions are visible on the desktop as well.
Ransom.Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.
We see Ransom.Sodinokibi being dropped by variants of Trojan.MalPack.GS that previously used to drop Ransom.GandCrab.
Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.
Without backups, a roll-back system, or other ways to recover the encrypted files, the affected systems are usable, but all the important information stored on them will be inaccessible.
Malwarebytes protects users from Ransom.Sodinokibi by using real-time protection and Anti-Ransomware signature-less technology which monitors file system activity of processes against a certain subset of data files in specific locations on the endpoint.
To remove Ransom.Sodinokibi using Malwarebytes business products, follow the instructions below.
If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Ransom.Sodinokibi with our Breach Remediation tool (MBBR).
You can use Malwarebytes Anti-Malware v1.80, which is included in your Malwarebytes Endpoint Security deployment to scan and remove Ransom.Sodinokibi.
Malwarebytes can detect and remove Ransom.Sodinokibi without further user interaction.
Take note, however, that removing this ransomware does not decrypt your files. You can only get your files back from backups you made before the infection happened.
File hashes (SHA-256):
*****-readme.txt (where ****** are 5-8 randomized characters)