Skip to content
Malware family

REvil

REvil, also known as Sodinokibi and sometimes Sodin, was a Russia-based financially motivated ransomware-as-a-service operation active primarily from 2019 through 2021.

Profile source: Mallory opens in a new tab

REvil

Family profile

REvil, also known as Sodinokibi and sometimes Sodin, was a Russia-based financially motivated ransomware-as-a-service operation active primarily from 2019 through 2021. It is widely regarded as a successor to GandCrab and became one of the most prominent double-extortion ransomware groups of its era. REvil combined file encryption with theft of victim data and public leak-site pressure, threatening publication or auction of stolen information to coerce payment. The group targeted a broad range of sectors worldwide, including private companies, government entities, law enforcement, schools, hospitals, managed service providers, and law firms.

REvil operated through an affiliate model in which core operators maintained the ransomware platform and supporting infrastructure while affiliates conducted intrusions and deployments. Reporting has linked the group to more than 1,000 victims during its main period of activity. The operation was associated with large ransom demands and aggressive extortion tactics, including escalating demands when victims refused to pay and publicizing sensitive stolen data to increase pressure. High-profile incidents attributed to REvil include the 2021 Kaseya VSA supply-chain attack, which leveraged a zero-day vulnerability to distribute ransomware through managed service provider infrastructure at scale, and the 2020 intrusion into entertainment law firm Grubman Shire Meiselas & Sacks, where celebrity-related data was used as extortion leverage.

Tactically, REvil used enterprise intrusion tradecraft common to major ransomware crews of the period. Observed behaviors include data exfiltration prior to encryption, use of leak sites and countdown timers for coercion, and defense evasion through techniques such as DLL sideloading. One documented example involved abuse of a legitimate Windows Defender component to load a malicious DLL containing ransomware. REvil has also been associated with Linux and ESXi-focused locker development, including references to a Revix ESXi locker, reflecting the broader shift by major ransomware groups toward virtualization infrastructure.

REvil played a significant role in normalizing and popularizing double extortion alongside groups such as Maze, influencing later ransomware ecosystems. Its name continued to surface after its peak because former affiliates and members were reported in connection with later ransomware operations, and some reporting has suggested overlap or migration of personnel into other Russia-linked criminal groups. Russian authorities later announced arrests and prosecutions of individuals tied to REvil, though reporting has also noted comparatively lenient outcomes in some cases. Overall, REvil remains one of the defining ransomware brands of the early 2020s and a major reference point in the evolution of industrialized ransomware operations.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 15, 2026
Last activity
Jul 15, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Leading locations

  • US1

Leading providers

  • Amazon.com, Inc.1

Infrastructure traits

  • Anycast 1
  • Hosting 1
  • Vpn 1

Samples

Recent associated samples

MITRE ATT&CK

REvil in ATT&CK

46 distinct techniques

Reporting

Research mentioning REvil

Jul 17
Scworld

Lawyers say Russian tourist detained in Armenia over mistaken identity in ransomware case | brief | SC Media

The U.S. is seeking an individual with the same name who is a suspect in REvil ransomware attacks.

Jul 17
The Hacker News

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Ermakov is accused of taking part in Sodinokibi/REvil attacks from roughly April 2019 to July 12, 2021, with more than 1,000 victims among private companies, law enforcement, government offices, schools, and hospitals.

Jun 12
Codeby

Кибератаки на юридические фирмы: TTPs и detection для SOC

В мае 2020 года REvil атаковала Grubman Shire - юр. фирму, обслуживающую индустрию развлечений. Для усиления давления группировка слила данные Lady Gaga и пригрозила публикацией документов других клиентов-знаменитостей.

May 28
Encyclopedia Kaspersky

What is DLL sideloading? | Kaspersky IT Encyclopedia

The REvil group used the system file MsMpEng.exe in Windows Defender to download a malicious DLL containing cryptomalware.

May 20
Codeby

Ransomware-as-a-Service 2026: TTPs и detection

Для сравнения: REvil запускал countdown timer при первом посещении жертвой leak-страницы.

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

Tinker also mentioned working as a negotiator for BlackSuit RaaS and that former REvil members handle the 'locking' (encrypting PCs, network) there.

May 13
Krypt3ia Wordpress

Cyber Supply-Chain Attacks: Early Internet to Today | Krypt3ia

In July 2021, REvil exploited Kaseya VSA to push ransomware through managed service provider infrastructure.

Apr 16
Bank Info Security

Beyond Mythos: A Defining Moment for Cybersecurity

By the mid-2010s, ransomware-as-a-service had industrialized extortion itself, with affiliate programs, negotiation support desks and revenue-sharing arrangements that mirrored legitimate SaaS businesses. Groups like REvil, DarkSide and LockBit operated with the organizational discipline of mid-size enterprises, complete with PR strategies and, yes, responsive customer service.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.