Discovery Enum
- AdFind
- Bloodhound
REvil, also known as Sodinokibi or Sodin, is a ransomware-as-a-service operation first observed in 2019.
Profile source: Mallory opens in a new tabREvil
REvil, also known as Sodinokibi or Sodin, is a ransomware-as-a-service operation first observed in 2019. It emerged as a major financially motivated ransomware family targeting private companies, government entities, schools, hospitals, and other organizations worldwide, with reporting linking it to more than 1,000 victims during its peak activity period from 2019 to 2021. REvil has been associated with high-profile supply-chain and managed service provider compromise activity, including abuse of Kaseya VSA, and early deployments also exploited Oracle WebLogic vulnerability CVE-2019-2725. The operation has been discussed in connection with Russian-speaking cybercriminal ecosystems and former members have been referenced in later ransomware activity.
Technically, REvil is a highly configurable Windows ransomware family operated through an affiliate model in which core operators maintain the malware and payment infrastructure while affiliates conduct intrusions and deploy the encryptor. It stores encrypted JSON configuration data, decrypts strings at runtime, dynamically resolves imports, and can communicate with controllers over HTTPS when configured to do so. The malware includes logic to avoid infecting systems associated with certain languages and keyboard layouts, particularly across Russia, the CIS, and nearby regions, terminating execution when exclusion conditions are met.
Before encryption, REvil can query and modify the Windows Registry to store encryption parameters, victim key material, and system information. Earlier versions also used the Registry for persistence, though that mechanism was later removed. The malware can attempt privilege escalation, including historical use of CVE-2018-8453 and repeated elevation prompts. It also prepares systems for encryption by terminating selected processes, stopping or deleting services associated with backups, databases, mail, and security tooling, and deleting shadow copies to inhibit recovery.
REvil encrypts files on local and network-accessible storage, appends a generated extension to encrypted files, drops ransom notes, and changes the desktop background. Delivery has been observed through exploitation of public-facing applications, malicious email attachments such as weaponized Word documents, and DLL sideloading using a legitimate Windows Defender component to load a malicious library. REvil payloads have also been delivered through Gootloader campaigns that relied on SEO poisoning and compromised websites. The family is widely recognized as one of the defining ransomware operations of the late 2010s and early 2020s.
Ransomware.live
Reported operators
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
One group known for pivoting is Evil Corp., the gang behind Revil. Revil’s tactics align with why a threat group would target an insurance provider.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.
"REvil, also known as Sodinokibi, emerged in 2019 and is widely believed to have evolved out of the GandCrab ransomware group."
Exploited software
MITRE ATT&CK
Reporting
The U.S. is seeking an individual with the same name who is a suspect in REvil ransomware attacks.
Ermakov is accused of taking part in Sodinokibi/REvil attacks from roughly April 2019 to July 12, 2021, with more than 1,000 victims among private companies, law enforcement, government offices, schools, and hospitals.
...from Carberp to Lurk to the REvil arrests of January 2022, Moscow has arrested its cybercriminals selectively and on its own schedule...
Families with thin training data, including QNAPCrypt with 10 samples, salty with 15, REvil with 21, and RemcosRAT with 22, reach lower recall.
The REvil group used the system file MsMpEng.exe in Windows Defender to download a malicious DLL containing cryptomalware.
Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...
Tinker also mentioned working as a negotiator for BlackSuit RaaS and that former REvil members handle the ‘locking’ there.
In July 2021, REvil exploited Kaseya VSA to push ransomware through managed service provider infrastructure.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.