Last seven days
- First activity
- Jul 15, 2026
- Last activity
- Jul 15, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
REvil, also known as Sodinokibi and sometimes Sodin, was a Russia-based financially motivated ransomware-as-a-service operation active primarily from 2019 through 2021.
Profile source: Mallory opens in a new tabREvil
REvil, also known as Sodinokibi and sometimes Sodin, was a Russia-based financially motivated ransomware-as-a-service operation active primarily from 2019 through 2021. It is widely regarded as a successor to GandCrab and became one of the most prominent double-extortion ransomware groups of its era. REvil combined file encryption with theft of victim data and public leak-site pressure, threatening publication or auction of stolen information to coerce payment. The group targeted a broad range of sectors worldwide, including private companies, government entities, law enforcement, schools, hospitals, managed service providers, and law firms.
REvil operated through an affiliate model in which core operators maintained the ransomware platform and supporting infrastructure while affiliates conducted intrusions and deployments. Reporting has linked the group to more than 1,000 victims during its main period of activity. The operation was associated with large ransom demands and aggressive extortion tactics, including escalating demands when victims refused to pay and publicizing sensitive stolen data to increase pressure. High-profile incidents attributed to REvil include the 2021 Kaseya VSA supply-chain attack, which leveraged a zero-day vulnerability to distribute ransomware through managed service provider infrastructure at scale, and the 2020 intrusion into entertainment law firm Grubman Shire Meiselas & Sacks, where celebrity-related data was used as extortion leverage.
Tactically, REvil used enterprise intrusion tradecraft common to major ransomware crews of the period. Observed behaviors include data exfiltration prior to encryption, use of leak sites and countdown timers for coercion, and defense evasion through techniques such as DLL sideloading. One documented example involved abuse of a legitimate Windows Defender component to load a malicious DLL containing ransomware. REvil has also been associated with Linux and ESXi-focused locker development, including references to a Revix ESXi locker, reflecting the broader shift by major ransomware groups toward virtualization infrastructure.
REvil played a significant role in normalizing and popularizing double extortion alongside groups such as Maze, influencing later ransomware ecosystems. Its name continued to surface after its peak because former affiliates and members were reported in connection with later ransomware operations, and some reporting has suggested overlap or migration of personnel into other Russia-linked criminal groups. Russian authorities later announced arrests and prosecutions of individuals tied to REvil, though reporting has also noted comparatively lenient outcomes in some cases. Overall, REvil remains one of the defining ransomware brands of the early 2020s and a major reference point in the evolution of industrialized ransomware operations.
C2 tracking
Derp observations, rolling seven-day window
Samples
0de897692687bdc2beda6a802dc2ba9114aaadfb3bfd2c304c71e9b8c3add403 4310cbf48f81e26315383269e302260422b7688b537f5f52bc9d073f58556866 a80a323f00d20be93ffefd74d9e9260baa2ce52a07117032cbc45be723134a59 e310b40fd3e5e9205b6b4f18030714a5b85535170077509d3256f31e62d2679a e59f03f68225a4f5ae4df997b8728a675fb16b33c79112c90a10e20fe024fbdd MITRE ATT&CK
Reporting
The U.S. is seeking an individual with the same name who is a suspect in REvil ransomware attacks.
Ermakov is accused of taking part in Sodinokibi/REvil attacks from roughly April 2019 to July 12, 2021, with more than 1,000 victims among private companies, law enforcement, government offices, schools, and hospitals.
В мае 2020 года REvil атаковала Grubman Shire - юр. фирму, обслуживающую индустрию развлечений. Для усиления давления группировка слила данные Lady Gaga и пригрозила публикацией документов других клиентов-знаменитостей.
The REvil group used the system file MsMpEng.exe in Windows Defender to download a malicious DLL containing cryptomalware.
Для сравнения: REvil запускал countdown timer при первом посещении жертвой leak-страницы.
Tinker also mentioned working as a negotiator for BlackSuit RaaS and that former REvil members handle the 'locking' (encrypting PCs, network) there.
In July 2021, REvil exploited Kaseya VSA to push ransomware through managed service provider infrastructure.
By the mid-2010s, ransomware-as-a-service had industrialized extortion itself, with affiliate programs, negotiation support desks and revenue-sharing arrangements that mirrored legitimate SaaS businesses. Groups like REvil, DarkSide and LockBit operated with the organizational discipline of mid-size enterprises, complete with PR strategies and, yes, responsive customer service.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.