Skip to content
Ransomware group Windows

REvil

REvil, also known as Sodinokibi or Sodin, is a ransomware-as-a-service operation first observed in 2019.

Profile source: Mallory opens in a new tab

REvil

Family profile

REvil, also known as Sodinokibi or Sodin, is a ransomware-as-a-service operation first observed in 2019. It emerged as a major financially motivated ransomware family targeting private companies, government entities, schools, hospitals, and other organizations worldwide, with reporting linking it to more than 1,000 victims during its peak activity period from 2019 to 2021. REvil has been associated with high-profile supply-chain and managed service provider compromise activity, including abuse of Kaseya VSA, and early deployments also exploited Oracle WebLogic vulnerability CVE-2019-2725. The operation has been discussed in connection with Russian-speaking cybercriminal ecosystems and former members have been referenced in later ransomware activity.

Technically, REvil is a highly configurable Windows ransomware family operated through an affiliate model in which core operators maintain the malware and payment infrastructure while affiliates conduct intrusions and deploy the encryptor. It stores encrypted JSON configuration data, decrypts strings at runtime, dynamically resolves imports, and can communicate with controllers over HTTPS when configured to do so. The malware includes logic to avoid infecting systems associated with certain languages and keyboard layouts, particularly across Russia, the CIS, and nearby regions, terminating execution when exclusion conditions are met.

Before encryption, REvil can query and modify the Windows Registry to store encryption parameters, victim key material, and system information. Earlier versions also used the Registry for persistence, though that mechanism was later removed. The malware can attempt privilege escalation, including historical use of CVE-2018-8453 and repeated elevation prompts. It also prepares systems for encryption by terminating selected processes, stopping or deleting services associated with backups, databases, mail, and security tooling, and deleting shadow copies to inhibit recovery.

REvil encrypts files on local and network-accessible storage, appends a generated extension to encrypted files, drops ransom notes, and changes the desktop background. Delivery has been observed through exploitation of public-facing applications, malicious email attachments such as weaponized Word documents, and DLL sideloading using a legitimate Windows Defender component to load a malicious library. REvil payloads have also been delivered through Gootloader campaigns that relied on SEO poisoning and compromised websites. The family is widely recognized as one of the defining ransomware operations of the late 2010s and early 2020s.

Capabilities

  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Persistence
  • Privilege Escalation

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • AdFind
  • Bloodhound

Exfiltration

  • PrivatLab
  • RClone
  • Sendspace

LOLBAS

  • BITSAdmin

Offsec

  • Cobalt Strike

Reported operators

Threat actors

10 named in public reporting
UNKN

REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.

FIN7

In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.

Velvet Tempest

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.

Indrik Spider

One group known for pivoting is Evil Corp., the gang behind Revil. Revil’s tactics align with why a threat group would target an insurance provider.

DEV-0216

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.

UNC2628

UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.

Lockean

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

OnePercent

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

GOLD SOUTHFIELD

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.

REvil

"REvil, also known as Sodinokibi, emerged in 2019 and is widely believed to have evolved out of the GandCrab ransomware group."

Exploited software

Vulnerabilities linked to REvil

6 CVEs

MITRE ATT&CK

REvil in ATT&CK

88 distinct techniques

Techniques

88 techniques
T1486 Data Encrypted for Impact T1657 Financial Theft T1012 Query Registry T1614.001 System Language Discovery T1112 Modify Registry T1082 System Information Discovery T1565 Data Manipulation T1489 Service Stop T1548.002 Bypass User Account Control T1027.007 Dynamic API Resolution T1059.001 PowerShell T1135 Network Share Discovery T1057 Process Discovery T1068 Exploitation for Privilege Escalation T1059.003 Windows Command Shell T1027.002 Software Packing T1070.004 File Deletion T1547.001 Registry Run Keys / Startup Folder T1071.001 Web Protocols T1497.001 System Checks T1041 Exfiltration Over C2 Channel T1490 Inhibit System Recovery T1190 Exploit Public-Facing Application T1480.002 Mutual Exclusion T1027 Obfuscated Files or Information T1083 File and Directory Discovery T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information T1567.002 Exfiltration to Cloud Storage T1055.012 Process Hollowing T1105 Ingress Tool Transfer T1078 Valid Accounts T1119 Automated Collection T1021 Remote Services T1053 Scheduled Task/Job T1218 System Binary Proxy Execution T1620 Reflective Code Loading T1573 Encrypted Channel T1059 Command and Scripting Interpreter T1036 Masquerading T1047 Windows Management Instrumentation T1033 System Owner/User Discovery T1562 Impair Defenses T1566.001 Spearphishing Attachment T1027.013 Encrypted/Encoded File T1588.001 Malware T1204 User Execution T1055 Process Injection T1195 Supply Chain Compromise T1133 External Remote Services T1102 Web Service T1048 Exfiltration Over Alternative Protocol T1203 Exploitation for Client Execution T1567 Exfiltration Over Web Service T1074 Data Staged T1090.003 Multi-hop Proxy T1491.001 Internal Defacement T1537 Transfer Data to Cloud Account T1210 Exploitation of Remote Services T1562.001 Disable or Modify Tools T1570 Lateral Tool Transfer T1219 Remote Access Tools T1587 Develop Capabilities T1027.011 Fileless Storage T1573.002 Asymmetric Cryptography T1543 Create or Modify System Process T1562.009 Safe Mode Boot T1482 Domain Trust Discovery T1485 Data Destruction T1574.001 DLL T1548 Abuse Elevation Control Mechanism T1059.005 Visual Basic T1069.002 Domain Groups T1562.007 Disable or Modify Cloud Firewall T1007 System Service Discovery T1106 Native API T1036.005 Match Legitimate Resource Name or Location T1071 Application Layer Protocol T1189 Drive-by Compromise T1134.001 Token Impersonation/Theft T1134.002 Create Process with Token T1070.001 Clear Windows Event Logs T1491 Defacement T1680 Local Storage Discovery T1218.007 Signed Binary Proxy Execution: Msiexec T1497 Virtualization/Sandbox Evasion T1003.001 OS Credential Dumping: LSASS Memory T1021.001 Remote Services: Remote Desktop Protocol

Reporting

Research mentioning REvil

Jul 17
Scworld

Lawyers say Russian tourist detained in Armenia over mistaken identity in ransomware case | brief | SC Media

The U.S. is seeking an individual with the same name who is a suspect in REvil ransomware attacks.

Jul 17
The Hacker News

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Ermakov is accused of taking part in Sodinokibi/REvil attacks from roughly April 2019 to July 12, 2021, with more than 1,000 victims among private companies, law enforcement, government offices, schools, and hospitals.

Jul 13
Flareio

Arrest and Sentencing Disparities Across Russian-Speaking Threat Actors - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime

...from Carberp to Lurk to the REvil arrests of January 2022, Moscow has arrested its cybercriminals selectively and on its own schedule...

Jun 26
Help Net Security

A privacy-first take on local malware analysis - Help Net Security

Families with thin training data, including QNAPCrypt with 10 samples, salty with 15, REvil with 21, and RemcosRAT with 22, reach lower recall.

May 28
Encyclopedia Kaspersky

What is DLL sideloading? | Kaspersky IT Encyclopedia

The REvil group used the system file MsMpEng.exe in Windows Defender to download a malicious DLL containing cryptomalware.

May 21
Bleeping Computer

Police seize “First VPN” service used in ransomware, data theft attacks

Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

Tinker also mentioned working as a negotiator for BlackSuit RaaS and that former REvil members handle the ‘locking’ there.

May 13
Krypt3ia Wordpress

Cyber Supply-Chain Attacks: Early Internet to Today | Krypt3ia

In July 2021, REvil exploited Kaseya VSA to push ransomware through managed service provider infrastructure.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.