Sodinokibi Ransomware

Updated: Jun 27, 2019


Sodinokibi Ransomware: A Rapidly Emerging Threat Actively Leveraging

New Vulnerabilities and Compromised Managed Service Providers to Infect Victims

The NTIC Cyber Center assesses with high confidence that the cyber threat actor or group behind the Sodinokibi ransomware campaign will increasingly target managed service providers (MSPs) and leverage newly disclosed vulnerabilities to infect victims. Additionally, we assess that these attack vectors will likely be used by other profit-motivated cyber threat actors who seek to perform similar types of campaigns.

Sodinokibi is a new ransomware variant that encrypts data on computers running the Windows operating system, disables Windows startup repair, and deletes Volume Shadow Copies to prevent victims from trying to restore impacted files without paying the ransom. During the infection process, Sodinokibi ransomware renames the encrypted files using a random extension that is used as a unique victim identifier. It also drops a text file named [extension]-HOW-TO-DECRYPT on the infected system that includes instructions on how to download the Tor web browser, visit the payment portal, and pay the ransom.

According to Cisco Talos researchers, Sodinokibi was first observed on April 25, 2019 exploiting CVE-2019-2725, a vulnerability in Oracle WebLogic Servers, for which a patch was released the following day. On Friday, June 21, 2019, the NTIC Cyber Center began reviewing several open-source reports suggesting that multiple MSPs – companies that remotely manage other organizations’ information technology infrastructure and/or end-user systems – had been leveraged in a Sodinokibi ransomware attack. Cybersecurity news source BleepingComputer later confirmed the legitimacy of these reports through an interview with the CEO of Huntress Labs, a company that provides cybersecurity services for MSPs. According to the BleepingComputer report linked above, cyber threat actors breached several MSPs via Remote Desktop Protocol (RDP) compromise and used MSPs’ management consoles to push Sodinokibi ransomware installers to the managed endpoints. Webroot, one of the MSPs impacted by this campaign, emailed their customers about the incident, performed an automated console logoff, and implemented mandatory two-factor authentication for all accounts. Other management consoles reportedly leveraged in this attack include Kaseya and ConnectWise Control.


The NTIC Cyber Center recommends all members maintain awareness of this ransomware threat and the risk that MSPs and other third-party service providers can pose to networks, systems, and data. If you are impacted by this or any other ransomware campaign, we discourage paying the ransom as it only serves to perpetuate this type of crime and does not guarantee the recovery and restoration of impacted data. We would like to remind our members that the most effective way to limit the impact of a ransomware incident is to maintain a robust and comprehensive data backup strategy that includes scheduling backups often and keeping them stored off the network in a separate and secure location. For a full list of prevention and mitigation strategies, please download our Ransomware Mitigation Guide available on our website.

Traffic Light Protocol: WHITE information may be distributed without restriction.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.