If we take a look back, it is clear that one of the main features of ransomware as a threat is that it is continually reinventing itself, persisting in time and effectiveness. These types of attacks have evolved greatly since they first emerged, and today there are many different and varied families in existence.

This also implies a greater effort from cyber-criminals, as it involves the application of more advanced and complex techniques. In turn, this means an increase in the sophistication, propagation, and persistence of the threat. Sodinokibi, aka REvil, is one such example, having infected devices around the globe in a startlingly short period of time.

Download here the Ransomware Report

Sodinokibi and doxing

In late 2019, the beginning of a trend was observed in ransomware attacks which has become an established practice today: the operators of diverse ransomware families, in addition to hijacking files, are threatening to divulge confidential or compromising information.

The technique was first used with the Maze ransomware, and a month later the operators behind other families of ransomware – no doubt motivated by its effectiveness – adopted this strategy in cases where victims were reluctant to pay to recover encrypted files. Such was the case with the Sodinokibi, DoppelPaymer, RobinHood, and Nemty ransomware threats.

Main features

In the case of Sodinokibi (aka REvil), one notable feature is its great ability to evade detection by antivirus systems and the numerous measures it implements to achieve this. We have also noted how this ransomware exploits a vulnerability in Oracle WebLogic servers. Although this is a standout feature in Sodinokibi, like many other ransomware families, it operates as RaaS (Ransomware as a Service), meaning that it not only generates money directly through extortion, but also through the sale of kits that allow attackers to create and distribute their own ransomware.

These features combined are what made Sodinokibi the most lucrative ransomware in the final quarter of last year, despite having first been detected earlier in the year, generating almost eight per cent more revenue than the Ryuk ransomware.

Infection vector

The most frequent way for Sodinokibi to reach devices is through a malicious email in a phishing campaign. The email contains a link prompting recipients to download a zip file containing the Sodinokibi loader. Attackers distribute malware in this way as it makes it easier to reach the victim and also because distributing the malware in a zip file helps evade antivirus protection systems.

The zip file normally contains an obfuscated JavaScript file such as the one we analyzed in the report.





The geographical scope of Sodinokibi has been diverse, and incidents have been recorded in numerous countries around the world this year. Nevertheless, attacks have largely been focused on Europe, the USA, and India.



Advanced cyber-security to combat ransomware

We’ve witnessed how ransomware attacks have switched from targeting as many users as possible to focusing attacks on specific victims in order to improve financial returns. It is important, in the face of these new cyber-crime tactics, not to succumb and pay the ransom to these criminals, as there is no guarantee in any case that it will be possible to decrypt and retrieve the information even after handing over the money. Neither is it certain that any compromising information will not be made public, or used for any other malicious purposes.

To prevent your company from having to deal with such situations, there are advanced endpoint protection systems, such as Panda Adaptive Defense 360, with advanced EDR capabilities, process monitoring in all network endpoints, and a service for classifying 100 per cent of these processes. The truth is that ransomware is a very real threat and one that is difficult to counter if you don’t have the right protection or follow the proper guidelines.

Be prepared and protect your systems with Panda Adaptive Defense 360 which, thanks to the Zero Trust model, provides a greater level of visibility and control to boost prevention, detection, and response to any threat, including ransomware such as Sodinokibi.

Find out more about the technical details of Sodinokibi in our PandaLabs report on this ransomware:

Download here the Ransomware Report