Remove "Happy Holidays" Sodinokibi virus (Sodinokibi Ransomware)

Remove “Happy Holidays” Sodinokibi virus (Sodinokibi Ransomware)

What is "Happy Holidays" Sodinokibi virus ransomware? How does "Happy Holidays" Sodinokibi virus work? How to open "Happy Holidays" Sodinokibi virus files? How to remove "Happy Holidays" Sodinokibi virus and try to restore files, encrypted by it?

The "Happy Holidays" Sodinokibi virus virus is actually a ransomware infection, whose main idea is to make sure that you won’t be able to use your files anymore, until you pay ransom to the cyber-criminals who are behind it. The main idea of this is that your files get blocks of their data replaced with data from the AES encryption algorithm used by the "Happy Holidays" Sodinokibi virus. The virus then adds its own file extension and drops a ransom note file. This file’s main purpose is to get victims to pay ransom to get your files to be decrypted using the unique decryption key that is generated and held by the crooks. Read this article to learn how to remove "Happy Holidays" Sodinokibi virus from your computer and learn how to recover data encoded by it.

Threat Summary

Name"Happy Holidays" Sodinokibi virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt files and then ad its custom file extension to them.
SymptomsFiles are encrypted and cannot be opened. The "Happy Holidays" Sodinokibi virus also drops a ransom note file, containing the extortionist message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by "Happy Holidays" Sodinokibi virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss "Happy Holidays" Sodinokibi virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

In January 2020 the Sodinokibi virus has been found to have infected the Gedia Automotive Group. This is a German car parts manufacturer which ships its production from different locations including Spain, Poland, China, Hungary and the United States. The company has stated that when they have received notice of the attack the company immediately has shut down the affected computers and networks. There is no detailed information available about what part of their infrastructure has been affected by the ransomware. The statement however said that all company locations have been compromised. According to the information the company has executed an emergency plan in order to protect its business from serious disruption.

As the company has refused to pay the ransom fee shown in the accompanying note there are reports that about 50 GB of their sensitive information is being sold on underground hacker markets. Such attacks have been made against car parts manufacturers and large corporations over the years such as Honda, Renault-Nissan, Maersk and etc.

"Happy Holidays" Sodinokibi virus – How Did I Get It and What Does It Do?

A new dangerous “Happy Holidays” Sodinokibi virus release has been released by an unknown hacking group in the last week. It builds upon the well-established foundation of this malware family. It is expected that such virus attacks are planned by hacker groups that build upon the ongoing widespread campaigns targeting victims with holiday-themed phishing campaigns. Given the circumastances that this ransoomware originates from Sodinokibi and is confirmed to be sent using social engineering campaigns.

A large part of these attacks are carried out by sending out email messages and orchestrating hacker-made sites. They are designed to include fake contents and design with the aim of manipulating the recipients into thinking that they have received a legitimate notification. Apart from this some of the “Happy Holidays” Sodinokibi virus samples have been shown to be carried out by Trojan delivery, particularly by Azorult.

Related: Remove Azorult Trojan From Your PC

The “Happy Holidays” Sodinokibi virus hs been captured during the ongoing attack campaign. The intrusions appear to be targeting victims at a worldwide scale. When the virus has been deployed onto a given host the main engine will start a multitude of tasks that are part of the ransomware. One of the first action which are done is to execute a data harvesting module. It can acquire information related to the identity of the victim users and details about the computers and the installed hardware. The data can be used for a multitude of crimes — identity theft, blackmail and etc.

The “Happy Holidays” Sodinokibi virus includes an extensive security bypass engine function which will stop the installed security engines and software that can effectively block the proper execution of the virus. This includes the likes of anti-virus engines, firewalls, intrusion detection systems and etc. The main Sodinokibi virus engine will “sleep” itself numerous times, this evades typical signature checks.

Related: Remove Sodinokibi Ransomware (Update October 2019)

One of the most dangerous aspects of virus strains like this one is the system configuration changes module. It can be used to delete user data, system files and etc. One of the dangerous aspects of this component is the fact that the engine can access the removable devices and network shares. This is used to spread the infection further and also retrieve any data that can be accessed. The “Happy Holidays” Sodinokibi virus can control, create and terminate running processes and also hookup to them. This Trojan-like behavior is particularly dangerous as it allows the hackers to monitor the user input.

The detailed security analysis signals that Windows Registry changes are also made. They include the creation of new values that are related to the virus and its proper execution. The other common action done by this module is the modification of already existing values. The consequences of this actions include data loss, performance problems and unexpected errors.

The behavior pattern can change at any time depending on the local conditions or the hacker instructions. The typical ransomware behavior is to use a built-in list of target file type extensions which are to be processed by a strong cipher. The files will be locked and the users will be unable to access their own data. The victims will be blackmailed into paying the hackers a fee in crytocurrency.

The “Happy Holidays” Sodinokibi virus will assign a custom ID for each individual host. It will be used to label the ransom note (in a TXT file) and in its contents.

Remove “Happy Holidays” Sodinokibi Virus and Try Restoring Files

To remove "Happy Holidays" Sodinokibi virus from your computer, we strongly recommend that you read the instructions underneath. They have been created with the primary purpose to help you remove the "Happy Holidays" Sodinokibi virus files and try to restore all encrypted data. For a faster and effective removal, we strongly recommend that you download and run a scan of your computer using a professional malware removal software. Such program has been made with the main idea to help you erase all traces of the "Happy Holidays" Sodinokibi virus from your machine by scanning for its files and objects. It can also protect you from future threats and intrusive software of this type.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share