Hubbry Logo
REvilREvilMain
Open search
REvil
Community hub
REvil
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
REvil
REvil
REvil
View on Wikipedia
from Wikipedia

REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based[1] or Russian-speaking[2] private ransomware-as-a-service (RaaS) operation.[3] After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Key Information

History

[edit]

REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments.[4] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.[5]

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil[6] or a partner of REvil.[7] REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.[8]

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.[9] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

2020

[edit]

May

[edit]

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it.[10][11][12] The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump.[13][14] The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data.[15] According to an interview with an alleged member, they found a buyer for Trumps information, but this cannot be confirmed.[16] In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga.[17] The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.[11]

They were planning on selling Madonna's information,[18] but eventually reneged.[19]

2021

[edit]

March

[edit]

On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.[20]

On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.[21]

April

[edit]

In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million.[22][23]

May

[edit]
Further information: JBS S.A. cyberattack

On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter.[24] JBS paid an $11 million ransom in Bitcoin to REvil.

June

[edit]

On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible.[25]

July

[edit]
Further information: Kaseya VSA ransomware attack

On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software.[26] REvil demanded $70 million to restore encrypted data.[27] As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days.[28][29]

On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence".[30]

After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[31][32]

On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[33] Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've [REvil] stood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down.[34]

On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files.[35] The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.[36]

September

[edit]

In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021.[37] From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files.[38]

On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments.[39] Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed.[40]

October

[edit]

On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised.[41]

Investigations and criminal charges

[edit]

As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5,000 infections, and collected half a million euros in ransomware payments.[42]

On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments.[43] Vasinskyi, also known as Rabotnik, was arrested while crossing the border from Ukraine to Poland on 8 October 2021 and was extradited to the United States in 2022. He pleaded guilty to cybercrime and money laundering charges, and on 1 May 2024 was sentenced to 13 years and seven months in prison and ordered to pay $16 million in restitution.[44][45] As of 2025, Polyanin remains at large, and is thought by the FBI to reside in Russia, possibly in Barnaul.[46][47]

In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.[48]

The Fluffy

[edit]

There is a hacker group called Fluffy with Headquarters in Corrèze, known to have an affiliation with REvil, that primarily uses typosquatting, cybersquatting and keyword stuffing. This hacker group has distributed Magniber ransomware, Sodinokibi, and GandCrab, BlueCrab (It is the next version of GandCrab is the same variant that was used in the Kaseya VSA ransomware attack[49]). In France, it is known as Fluffy,[50] in Germany as Talentfrei,[51] in Australia and English speaking countries as "Emma Hill",[52] and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean). Fluffy is known to have claimed a number of victims, especially in South Korea.[53][54]

The campaign in which Fluffy first targeted South Korea is known as Magniber,[55] and it utilized an exploit kit before the emergence of various modified payloads. The techniques employed by these modified payloads vary, but they share a commonality in utilizing standardized technologies supported by web browsers or operating systems, such as URI scheme and BASE64, unlike exploit kits that leverage zero-day vulnerabilities. Users receive security warnings from their operating systems before executing the files; however, the information provided by the attackers is often sufficient for users to decide to disregard the security alerts.

Following the introduction of these altered payloads in South Korea, Fluffy immediately referred to themselves as Nebomi and continued with ransomware attacks. The Seoul Central District Prosecutors' Office announced in November 2023 that accomplices assisting them in South Korea were prosecuted. According to the announcement, during the process of investigating the suspects, records of funds being transferred to Lazarus Group were also discovered.[56] It is unclear whether it is related to the ongoing ransomware investigation, but according to a media report in December 2023, The Supreme Court of Korea claimed that it experienced a cyberattack by the Lazarus Group, resulting in the leakage of sensitive data.[57]

Fluffy is presumed to assist in the distribution of various types of ransomware, ranging from Magniber and REvil to LockBit, leveraging successful cases of watering hole attacks they have executed. For example, it is believed that they may be implicated in incidents such as the successful cyber attack on Toshiba's French branch in May 2021, the claimed cyber attack on the Doosan Group in August 2022, and the claimed cyber attack on the National Tax Service (South Korea) in March 2023.[58]

At times, they employed relatively simple methods, such as emails, for the distribution of REvil ransomware (also known as GandCrab). The content of these emails typically involved impersonating law enforcement agencies. The senders of these emails were two individuals under the age of 19, who claimed to have committed such crimes in response to a proposition that said, "If you join in sending ransomware, we'll share the profits." In the trial held at the Seoul Central District Court in August 2021, they were sentenced to 2 years and 1 year 6 months of imprisonment. One of them had already received a 10-year prison sentence for participating in another campaign.

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

REvil

View on Grokipedia
from Grokipedia

REvil, also known as Sodinokibi, was a ransomware-as-a-service (RaaS) operation run by Russian-speaking cybercriminals that emerged in 2019, likely developed by former operators of the GandCrab ransomware. The group utilized an affiliate model, distributing its malware through partners who conducted initial intrusions via methods such as phishing attachments, drive-by compromises, and exploitation of vulnerabilities like CVE-2018-8453 for privilege escalation. REvil employed double-extortion tactics, encrypting victims' files with and while exfiltrating data for potential leakage on dedicated sites like the "" if ransoms—demanded in —were not paid. Its featured advanced capabilities, including multithreading for rapid , service termination to hinder recovery, and command-and-control communication over with asymmetric . The syndicate targeted a wide range of sectors, with notable attacks on such as meat processing company, the affecting thousands of downstream organizations, and care providers like Grupo Fleury and Valley , contributing to 82 reported incidents in the health sector by mid-2021. Overall, REvil ransomware compromised approximately 175,000 computers globally and extorted at least $200 million in payments, with individual affiliates responsible for subsets like $13 million from around 3,000 U.S.-targeted attacks on entities including and municipalities. The operation's infrastructure was disrupted in through coordinated international efforts, including a U.S. cyber operation that seized servers, followed by arrests such as that of key developer Yaroslav Vasinskyi in and indictments of affiliates like Yevgeniy Polyanin, alongside Russian Federal Security Service actions in early 2022 that dismantled remaining elements and recovered over $6 million in assets.

History

Formation and Early Malware (2019)

REvil, a ransomware-as-a-service (RaaS) operation also known by its malware strain Sodinokibi, formed in 2019 following the announced retirement of the GandCrab ransomware family. Security researchers first detected Sodinokibi in April 2019, with Cisco Talos identifying it as a novel encryptor exploiting Windows kernel vulnerabilities and remote code execution flaws. Analysis by Secureworks revealed strong technical ties to GandCrab, including overlapping code strings, encryption routines, and affiliate payment structures, indicating that GandCrab's developers—rather than disbanding—rebranded and pivoted to a more controlled RaaS model under REvil to evade law enforcement scrutiny. The initial Sodinokibi variants emphasized rapid deployment and evasion, often leveraging zero-day exploits like CVE-2019-2725 in Oracle WebLogic Server for unauthenticated remote code execution to breach enterprise networks. Upon , the employed AES-256 for symmetric file encryption combined with RSA-2048 for key protection, targeting over 60 file extensions across drives while appending ".sodin" or ".zip" to encrypted files. It also disabled recovery options by deleting shadow copies and Volume Shadow Service components, then displayed a ransom note via a Tor-hosted page demanding payments, with initial demands ranging from thousands to millions depending on victim profile. Early builds included self-propagation via SMB and RDP, facilitating lateral movement in unpatched environments. In its formative phase, REvil focused on building operational infrastructure, including leak sites for non-paying victims—though double-extortion tactics fully matured later—and recruiting affiliates through underground forums. Attacks in 2019 primarily struck small-to-medium enterprises and lacked the supply-chain focus of later campaigns, with infections often stemming from , exploit kits, or compromised RDP credentials rather than advanced persistent threats. The group's Russian-speaking origins were evident in operational language and geographic targeting exclusions, aligning with self-imposed rules avoiding Russian-language victims to minimize domestic backlash. By late 2019, REvil had encrypted thousands of systems, generating revenues estimated in the tens of millions, setting the stage for expanded RaaS scalability.

Expansion and RaaS Model Adoption (2020)

In 2020, REvil, operating under its Ransomware-as-a-Service (RaaS) framework, expanded operations by intensifying affiliate recruitment and targeting high-value victims across sectors including retail, legal, and telecommunications. Affiliates, responsible for initial access and deployment, received up to 70% of ransom proceeds, with developers retaining the remainder for maintenance and infrastructure. This model enabled scalable growth, as evidenced by REvil's 16% share of infections in the third quarter, making it a leading strain according to market analysis. Affiliates commonly exploited compromised (RDP) credentials (65% of cases), (16%), and software vulnerabilities (8%). A pivotal drive occurred on , , when REvil deposited approximately 99 bitcoins (valued at around $1 million) into a public fund to lure experienced hackers, emphasizing sophisticated operations over mass infections. This initiative followed the group's evolution from its 2019 origins as Sodinokibi , transitioning to a mature RaaS by early with formalized profit-sharing and affiliate portals for and leaks. Estimated earnings exceeded $81 million that year, with REvil claiming over $100 million in total ransoms collected. The group affected at least 140 organizations globally since inception, with over 60% in the United States, per incident tracking. Expansion manifested in high-profile incidents leveraging double-extortion tactics—encrypting data while threatening leaks from exfiltrated files. In February 2020, REvil compromised apparel firm . May attacks included currency exchanger , which paid an undisclosed ransom after operational shutdowns, and law firm , where operators demanded $21 million (escalating to $42 million) and leaked 756 GB of data, including documents belonging to celebrities like . Later in May-June, attempts targeted Telecom (ultimately unsuccessful) and , encrypting 18,000 systems and demanding $7.5 million. These operations underscored REvil's shift toward targeted, lucrative strikes, boosting its notoriety and affiliate appeal.

Peak Activity and High-Profile Attacks (2021)

In 2021, REvil escalated its operations to unprecedented levels, comprising 37% of all ransomware engagements tracked by IBM X-Force that year, reflecting a surge in both volume and sophistication. The group shifted toward targeting high-value entities in critical sectors, leveraging zero-day exploits, supply chain vectors, and double-extortion tactics to maximize disruption and payouts. Early in the year, on March 19, REvil breached Taiwanese PC manufacturer Acer, exfiltrating over 75 gigabytes of sensitive financial and technical data via vulnerabilities in Microsoft Exchange servers, and demanded a then-record $50 million ransom while threatening data publication. In April, the group extended its reach to Quanta Computer, a key supplier for Apple, stealing proprietary designs and source code worth an estimated hundreds of millions, again employing extortion to pressure payment. REvil's assault on global food supply chains peaked with the May 30, 2021, attack on JBS Foods, the world's largest meat processor, which halted operations at 13 U.S. facilities and plants in Australia and Canada, prompting the company to pay $11 million in Bitcoin to regain access to encrypted systems and prevent data leaks. The FBI publicly attributed the incident to REvil on June 3, confirming the group's use of its Sodinokibi variant for encryption following weeks of undetected data exfiltration starting in March. This was preceded by REvil's April 14 tease of an impending "most high-profile attack ever," signaling growing audacity amid rising global tensions over ransomware's impact on essential services. The year's most expansive operation unfolded on , when REvil exploited a zero-day flaw (CVE-2021-30116) in 's VSA remote management software, enabling automated deployment to up to 1,500 downstream managed service providers and end-users across multiple countries. The group demanded $70 million in for a universal decryptor, marking one of the broadest compromises to date and affecting sectors from to healthcare. promptly isolated its servers, but the incident underscored REvil's tactical evolution toward scalable, multi-victim campaigns, amplifying economic fallout estimated in the billions. These strikes not only yielded substantial revenues but also drew international scrutiny, coordinated disruptions later that year.

Shutdown and Fragmentation (Late 2021–2022)

In October 2021, a multi-country operation, led by U.S. agencies including the FBI, U.S. Cyber Command, and Secret Service in coordination with at least one foreign partner, infiltrated REvil's network infrastructure. Authorities exploited vulnerabilities in REvil's restored backup servers, which the group had reactivated unaware of prior compromises, to seize control and deploy disruptive measures. This action rendered REvil's key Tor-based sites, including the "Happy Blog" for extortion communications, inaccessible, effectively halting ongoing operations and communications with victims. A REvil administrator known as "0_neday" acknowledged the breach on a forum before going silent, marking a significant blow following earlier self-imposed downtime in July 2021 after the supply-chain attack. The October disruption built on U.S. efforts that included withholding a universal decryption key recovered from REvil systems after the incident, prioritizing pursuit of group members over immediate victim recovery. By November 2021, U.S. authorities had indicted two alleged REvil affiliates on charges related to deployment. These actions temporarily fragmented REvil's centralized command, but the Ransomware-as-a-Service model's distributed affiliate structure allowed residual activity, with reports of opportunistic attempts persisting via legacy channels. In January 2022, 's (FSB) arrested several purported REvil members, seizing servers, wallets holding over 450 million rubles (approximately $6 million USD at the time), and charging them with organized . Russian officials claimed this dismantled the group's core operations, aligning with international pressure amid heightened U.S.- tensions over . However, new REvil-branded binaries surfaced shortly after, suggesting involvement by unaffiliated copycats or surviving subsets of affiliates rather than original leadership, indicative of operational fragmentation into less coordinated entities with diminished scale and influence. By mid-2022, accumulating indicators pointed to potential revival efforts by former members, though without the prior group's former cohesion or high-profile impact, reflecting broader patterns where takedowns scatter RaaS operators into splinter activities.

Operational Mechanics

Ransomware-as-a-Service Structure

REvil functioned as a Ransomware-as-a-Service (RaaS) operation, a model in which a central developer team supplied customizable ransomware tools to independent affiliates responsible for target selection, intrusion, deployment, and extortion activities. This structure, initiated in 2019 following the retirement of the GandCrab ransomware, enabled scalable operations by distributing risk and leveraging specialized skills among participants. The core team, presumed to consist of Russian-speaking actors based on operational patterns and language use, focused on malware evolution while affiliates executed field operations, primarily targeting organizations outside Russia and Commonwealth of Independent States (CIS) countries. The developer team maintained control over the Sodinokibi/REvil ransomware codebase, releasing updates to evade detection and incorporating features like for double-extortion. They provided affiliates with "builders"—tools to generate unique ransomware variants—and enforced operational guidelines, such as prohibiting attacks on government entities, , or entities in , , and other CIS nations, as announced in a May 2021 forum post. This central authority ensured integrity and handled backend infrastructure, including payment processing via and victim data leak sites like the "Happy Blog." Affiliates, often experienced cybercriminals including former GandCrab operators, managed the full attack lifecycle: gaining initial access through methods like (RDP) brute-forcing or exploiting vulnerabilities, lateral movement within networks, data theft, encryption, and negotiation. Each affiliate received a , such as a Process ID (PID), embedded in the to track infections attributable to their campaigns, facilitating accurate profit attribution in a parent-child deployment structure. Affiliates targeted high-value victims, including managed service providers (MSPs) for supply-chain amplification, as seen in attacks demanding up to $50 million, with some payments like $11 million from Foods in May 2021. Profits from ransoms, typically demanded in and ranging into millions of dollars, were split with affiliates retaining at least 75% of proceeds, while developers claimed the remainder for provision and support. Payments flowed through controlled wallets, with developers allegedly incorporating backdoors in some variants to monitor or divert funds, leading to reports of internal scams where core operators negotiated separately with victims to undercut affiliates. Recruitment occurred via forums, notably exploit.in, where REvil advertised its RaaS program to attract skilled operators, including those displaced from shuttered groups, emphasizing high payout potential and technical reliability. This affiliate-centric model fostered rapid expansion but introduced tensions, as evidenced by forum disputes over rule enforcement and payout disputes, contributing to operational fragmentation by late 2021.

Malware Technical Features

REvil, also known as Sodinokibi or Sodevo, is a family that first appeared in April 2019 and exhibits code similarities to the discontinued GandCrab ransomware, including shared string decoding functions and URL-building logic suggestive of overlapping development. The operates as a Windows PE executable, often delivered in obfuscated forms such as masquerading installers or macro-embedded documents, and supports command-line arguments for customized execution, such as -fast for rapid or -nolocal to skip local drives. The core payload employs hybrid encryption, primarily using the Salsa20 stream cipher to encrypt files with unique session keys generated per victim or file, while the session keys themselves are secured via RSA-2048 or elliptic curve cryptography (ECC) with the attacker's public key. Encrypted files receive randomly generated extensions (e.g., .1cd8t9ahd5 or strings from the registry like x4WHjRs), and the malware skips certain whitelisted paths or extensions such as boot files or .exe to maintain system operability. Post-encryption, it deletes volume shadow copies using vssadmin delete shadows /all /quiet, disables Windows recovery options via bcdedit, and terminates interfering processes like antivirus software, SQL servers, or Outlook to hinder detection and recovery. A ransom note, typically named HOW-TO-DECRYPT.txt or similar, is dropped in affected directories, containing a unique victim ID (e.g., F3FD1FCFF284306B) and instructions for payment via a TOR onion site. Initial infection vectors include exploitation of unpatched vulnerabilities, such as the zero-day CVE-2019-2725 in WebLogic servers for remote code execution, CVE-2018-8453 for , and supply-chain compromises like the June 2021 VSA breach via CVE-2021-30116. Other entry points encompass emails with malicious ZIP attachments or Office macros, RDP brute-force attacks exploiting weak credentials, and drive-by downloads from compromised websites or backdoored software installers (e.g., ). Lateral propagation occurs across network shares, with configurable options to target remote systems, often following initial foothold establishment via managed service providers (MSPs). Evasion techniques feature RC4-encrypted strings, of the Import Address Table (IAT) to avoid static signatures, CRC32-hashed function names, and creation of mutexes (e.g., C19C0A84-FA11-3F9C-C3BC-0BCB16922ABF) to prevent redundant executions. The performs locale checks to self-terminate on Russian or CIS-language systems, reducing risk to operators, and embeds a configuration (e.g., in .m69 resources or .cfg sections) for parameters like targeted file types and C2 endpoints. Command-and-control (C2) communication relies on HTTPS POST requests to hardcoded or dynamically generated domains, sending victim details in JSON format via semi-randomized paths (e.g., https://<c2>/wp-content/images/abcd.jpg) with User-Agent strings mimicking legitimate browsers. Fallback to TOR onion sites (e.g., aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion) ensures resilience, while pre-exfiltration of data using tools like or supports double-extortion by threatening leaks on dedicated portals.

Extortion and Double-Extortion Tactics

REvil employed double- tactics by systematically exfiltrating sensitive victim prior to deploying , thereby securing dual leverage through withheld decryption keys and threats of public release or . This approach, which intensified in their operations from mid-2020 onward, mitigated risks of non-payment by organizations maintaining offsite backups, as victims faced not only operational disruption but also potential regulatory violations, reputational harm, and competitive disadvantages from exposed information. The group centralized efforts via a portal known as the "Happy Blog," where they cataloged attacked entities, posted proof-of-concept file samples to validate claims, and escalated against non-payers by dumping datasets. This site functioned as a public ledger of operations, deterring resistance by showcasing prior leaks and fostering a of inevitability in compliance. A key escalation occurred on , 2020, when REvil initiated data auctions targeting a Canadian agricultural that rejected initial demands; the offering included three databases and over 22,000 files, requiring a $5,000 deposit for bidding eligibility and starting at $50,000. Such auctions not only monetized unpaid claims but also amplified victim pressure by inviting third-party exploitation of the data, with proceeds potentially funding further attacks. In practice, REvil affiliates coordinated initial intrusions to harvest data—often terabytes in volume—using tools like custom exfiltration scripts during lateral movement phases, before triggering to minimize detection windows. Non-payment triggered phased leaks on the Happy Blog, beginning with samples and progressing to full releases, as demonstrated in cases like the Grubman Shire attack in 2019 where celebrity client data was partially disclosed to enforce demands exceeding $40 million.

Notable Attacks

JBS Foods Ransomware Incident

On May 30, 2021, JBS USA Holdings Inc., a subsidiary of Brazil-based JBS S.A. and one of the world's largest meat processors, detected a ransomware attack that encrypted systems and disrupted operations across its North American and Australian facilities. The attack, later attributed by the FBI to the Russia-linked REvil ransomware group, forced the temporary shutdown of all U.S. beef processing plants, which collectively handled approximately 20-22% of the nation's beef supply, along with impacts on pork and poultry operations. JBS promptly isolated affected networks, notified law enforcement, and leveraged backup systems to mitigate data loss, though the incident halted slaughter and processing activities for several days, raising concerns about potential supply chain disruptions and price increases in the meat sector. The REvil actors employed their typical double-extortion tactics, exfiltrating sensitive prior to encryption—activities traced back to reconnaissance as early as February 2021 and theft from March 1 to May 29, 2021—while demanding an initial exceeding $22.5 million in . After negotiations involving counter-offers, JBS paid approximately $11 million in on or around June 9, 2021, to secure decryption tools and prevent publication, a decision the company justified as necessary to expedite recovery and protect customer without alternatives for rapid restoration. REvil confirmed receipt of the funds but did not publicly leak JBS , unlike some prior victims. Operations began resuming within 24-48 hours, with most U.S. plants fully operational by June 2-3, 2021, minimizing long-term supply shortages. The incident prompted U.S. government involvement, including briefings and cybersecurity assistance, highlighting vulnerabilities in critical food infrastructure amid a pattern of REvil targeting high-value sectors. reported no evidence of compromised consumer data or backups, and subsequent internal reviews revealed pre-attack cybersecurity lapses, such as inadequate patching and monitoring, contributing to the breach's success.

Kaseya Supply Chain Compromise

On July 2, 2021, the REvil ransomware group exploited zero-day vulnerabilities in 's VSA remote monitoring and management software, including CVE-2021-30116 and related flaws, to deploy a malicious update that propagated to downstream customers. The attack targeted on-premises VSA servers, allowing attackers to inject REvil payloads via automated agent updates, affecting primarily managed service providers (MSPs) and their end-users without requiring direct or user interaction. This compromise amplified reach, as VSA's design enabled broad deployment across managed networks. The incident disrupted operations for an estimated 800 to 1,500 organizations across more than 17 countries, with REvil claiming over one million infected systems, though independent verification pegged direct impacts at around 60 customers and low thousands of endpoints overall. Notable victims included Sweden's Coop supermarket chain, which temporarily closed hundreds of stores, and U.S.-based entities in sectors like healthcare and . The timing aligned with the U.S. holiday weekend, reducing immediate detection amid lower staffing. REvil employed double-extortion tactics, encrypting data and exfiltrating it for leverage, then demanding $70 million in for a universal decryptor to restore access across all victims. Individual victims faced tailored demands up to $5 million, prioritizing MSPs due to their multi-tenant exposure. responded by disabling VSA cloud instances, issuing patches, and collaborating with authorities, while the FBI discouraged payments and pursued decryption tools; some victims reportedly paid, but no universal decryptor was publicly released before REvil's operational site went offline on July 13. The attack highlighted VSA's unpatched flaws, known to researchers since April 2021 but not fully remediated pre-breach.

Other Key Victims and Patterns

In addition to the JBS Foods and Kaseya incidents, REvil targeted several high-profile entities in the financial and technology sectors. In January 2020, the group attacked , a major foreign exchange and payments company, encrypting systems and demanding an initial $3 million ransom, later increased to $6 million; reportedly paid approximately $2.3 million in to regain access, though the firm did not publicly confirm the payment. In March 2021, REvil compromised Acer, a Taiwanese electronics manufacturer, via vulnerabilities in Microsoft Exchange servers, stealing sensitive financial documents and demanding $50 million; the group leaked samples of the data on its site after non-payment. REvil also struck , a key supplier to Apple, in April 2021, exfiltrating over 1 GB of proprietary data including schematics for unreleased and products before encrypting systems; the group demanded $50 million, threatening to auction the if unpaid, in a bid to pressure both Quanta and Apple indirectly. These attacks highlighted REvil's focus on vulnerabilities to access valuable and customer data from larger entities. A defining pattern in REvil operations was the widespread adoption of double-extortion tactics, where affiliates not only encrypted victim data but also exfiltrated it beforehand, using threats of public leakage to amplify pressure beyond decryption demands. The group maintained a portal known as "Happy Blog" to post proof-of-compromise samples, auction stolen data, and list non-paying victims, which served as both a tool and a reputational deterrent for potential targets. This approach, refined from earlier strains like GandCrab, targeted sectors with high-stakes data such as , , and , often exploiting unpatched remote access tools or zero-day vulnerabilities for initial access. REvil's RaaS model incentivized affiliates with profit shares up to 80%, fostering rapid scaling across diverse victims while minimizing direct exposure for core developers.

International Takedown Efforts (2021)

In mid-2021, following the June attributed to REvil, which affected up to 1,500 downstream victims worldwide and prompted a $70 million , U.S. President raised the issue directly with Russian President , leading to increased diplomatic pressure on to curb operations originating from its territory. On July 13, 2021, REvil's operational websites, including its Tor-based payment portal and data leak site, suddenly went offline, halting communications and payments; the group cited a in its infrastructure as the cause, though speculation included internal disputes or preemptive shutdowns amid mounting law enforcement scrutiny. The FBI had previously obtained a universal decryption key from REvil's command-and-control servers during the Kaseya response, enabling recovery for some victims without paying , but a planned disruption operation was not executed as the group ceased activities. In October 2021, a multi-country operation compromised REvil's core infrastructure by hacking into its servers, exploiting access derived from the earlier decryption key and targeting restored backups after the July outage. U.S. agencies including the FBI, U.S. Cyber Command, , and Justice Department coordinated with at least one unnamed foreign partner and private cybersecurity firms such as and Group-IB to seize control, rendering REvil's "Happy Blog" and other sites inoperable and silencing key operators like "0_neday" and "Unknown." This action, the second major disruption of REvil's operations in 2021, aimed to prevent further by denying the group access to victim data and negotiation tools, though U.S. officials did not publicly confirm the offensive cyber measures at the time. On November 8, 2021, announced the arrests of five REvil affiliates as part of Operation Gold Dust, a coordinated effort involving , , and national police in , , and other countries; this included two Romanian nationals detained on November 4 for deploying REvil ransomware against approximately 5,000 victims and collecting over €500,000 in ransoms. Concurrently, the U.S. Department of Justice unsealed an indictment charging Ukrainian national Vasinskyi, 22, with to commit damage to protected computers and wire fraud for his role in REvil attacks, including , affecting over 2,000 victims globally with demands exceeding $100 million; Vasinskyi was arrested in on the same day through international cooperation. These actions disrupted REvil's , which operated under its ransomware-as-a-service model, but did not target the group's Russian-based core leadership.

Russian Arrests and Internal Dismantling (2022)

On January 14, 2022, Russia's announced the arrest of 14 individuals alleged to be key members of the REvil ransomware group, following raids on 25 addresses across regions including , St. Petersburg, and . The operation targeted the group's core infrastructure, with authorities seizing two servers hosted in , cryptocurrency wallets holding 426 million rubles (approximately $5.6 million at the time), computer equipment, cash stacks, luxury vehicles, and real estate. The arrests occurred at the explicit request of the government, stemming from bilateral talks between Presidents and in December 2021, where threats were a focal point amid high-profile REvil attacks like those on and JBS Foods. The FSB described the raids as a decisive blow, claiming REvil's operational infrastructure had been fully destroyed, its activities neutralized, and the group effectively ceased to exist, with no further capacity for cyberattacks. Those detained were charged under Russian criminal code provisions for creating and distributing , unauthorized access to computer information, and involving illegal handling of payment instruments, facing maximum penalties of up to seven years imprisonment. The FSB emphasized that the seizures included assets derived from victims worldwide, positioning the crackdown as a response to international pressure rather than domestic initiative alone.

Convictions and Releases (2025)

In June 2025, a Russian court convicted four members of the REvil group—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—of illegal circulation of means of payment and distribution of , sentencing each to between four and a half and five years in . The individuals, arrested by Russia's (FSB) in January 2022 as part of an internal crackdown on , had remained in for over three years, which the court credited fully toward their sentences, resulting in their immediate release upon the verdict. The convictions stemmed from the defendants' admitted involvement in carding operations—fraudulent use of stolen data—and related activities, rather than direct prosecution for REvil's international attacks, such as those against or JBS Foods. Russian authorities did not pursue charges tied to the group's estimated $200 million in global extortions, reflecting a pattern of domestic-focused enforcement that avoids implicating actors in extraterritorial cybercrimes potentially subject to Western requests. No restitution or asset seizures linked to REvil victims were reported in these proceedings, and the releases drew criticism from cybersecurity analysts for underscoring limited accountability for high-impact operations. These outcomes represent one of the few publicized Russian judicial actions against REvil affiliates post-2022 dismantling, amid broader reports of selective prosecutions that prioritize non-violent financial crimes over disruptive attacks on foreign entities. No additional convictions or releases of REvil members were documented in Western jurisdictions during 2025, with prior U.S. cases, such as the 2024 sentencing of Ukrainian affiliate Vasinskyi to over 13 years for Sodinokibi attacks, remaining the primary example of extended incarceration outside .

Investigations

Attribution and Intelligence Gathering

Attribution of attacks to REvil, also known as Sodinokibi, relied heavily on forensic analysis of artifacts, including distinctive algorithms, code techniques, and indicators of (IOCs) such as specific file extensions (e.g., ".sodin") and ransom note templates that matched samples from prior incidents. Cybersecurity firms like ' identified REvil's tactics, techniques, and procedures (TTPs), including exploitation of vulnerabilities like those in VSA software, through reverse-engineering payloads that exhibited consistent behavioral patterns across attacks. REvil's operational transparency further aided attribution, as affiliates frequently claimed responsibility and published victim data on their Tor-hidden dark web site, dubbed "Happy Blog," where they detailed extortion demands and leaked samples of stolen data to pressure payments. For the June 2021 JBS Foods attack, the FBI explicitly attributed the incident to REvil based on malware matching and blockchain tracing of cryptocurrency ransoms, confirming the group's involvement in encrypting systems and demanding $11 million, which JBS paid. In the July 2021 Kaseya supply chain compromise, REvil self-attributed via Happy Blog posts boasting of infecting up to 1,500 downstream victims and demanding $70 million in Bitcoin, corroborated by independent analyses of the injected malicious hotfix exploiting a zero-day vulnerability in Kaseya's platform. Intelligence gathering on REvil involved multi-agency collaboration, including FBI monitoring of forums, Europol coordination on cross-border IOC sharing, and private-sector threat intelligence from entities tracking Russian-speaking actors' infrastructure hosted on services. U.S. authorities obtained decryption keys for REvil victims through undisclosed operational means, including potential infiltration of the group's command-and-control servers, enabling recovery efforts without full reliance on ransom payments. Challenges persisted due to REvil's Russia-based operations, where actors evaded and leveraged jurisdictional protections, though international pressure in 2021 led to a multi-nation disruption that seized servers and pushed the group offline via offensive cyber actions.

Criminal Charges by Western Authorities

In November 2021, the unsealed indictments against two key figures associated with the REvil ransomware operation. Yaroslav Vasinskyi, a 22-year-old Ukrainian national, was charged with to commit damage to protected computers, intentional damage to a protected computer, and to commit wire fraud for his role in deploying REvil (also known as Sodinokibi) , including the July 2021 attack on that affected over 1,500 victims worldwide. Vasinskyi was arrested in Poland on October 29, 2021, pursuant to a U.S. provisional request and extradited to the , where he was arraigned in the Southern District of on March 9, 2022. Yevgeniy Polyanin, a 28-year-old Russian national, was separately indicted in the District of Kansas for similar offenses—conspiracy to commit damage to protected computers, intentional damage to a protected computer, and conspiracy to commit wire fraud—stemming from REvil attacks on multiple U.S. victims, including a critical infrastructure entity in the energy sector that paid approximately $5.4 million in ransom. Polyanin remained at large following the indictment, with the U.S. Treasury Department designating him and other REvil affiliates under sanctions for their role in ransomware schemes that extorted tens of millions of dollars. These charges were part of broader U.S. actions, including the seizure of over $6 million in cryptocurrency linked to REvil ransom payments traced through blockchain analysis. European authorities, coordinated through Europol's Operation GoldDust involving agencies from 17 countries, led to the arrest of five REvil affiliates between February and November 2021. These individuals, operating from countries including Romania and the United Kingdom, faced charges in their respective jurisdictions for hacking offenses related to approximately 5,000 REvil infections that generated about €500,000 ($579,000) in ransoms. The arrests targeted lower-level deployers rather than core developers, with servers and cryptocurrency wallets seized to disrupt affiliate networks profiting from REvil's ransomware-as-a-service model. No major REvil leaders were extradited to Western courts beyond Vasinskyi, highlighting jurisdictional challenges with Russian-based operators.

Russian Prosecutions and Extradition Issues

In January 2022, Russia's conducted raids on 25 addresses in , St. Petersburg, and other regions, arresting 14 individuals affiliated with REvil following a request from U.S. authorities. The operation resulted in the seizure of approximately 426 million rubles (about $5.7 million at the time), $600,000 in U.S. dollars, 500,000 euros, computer equipment, and 20 luxury vehicles, with the FSB claiming the group's infrastructure was neutralized and its activities ceased. Those detained, including Roman Muromsky and Andrei Bessonov who were remanded in custody, faced initial charges related to forming an organized criminal group, with potential penalties of up to seven years imprisonment. Subsequent Russian prosecutions focused on domestic offenses such as illegal circulation of payment means (), distribution, and financial , rather than the group's international operations. In October 2024, a St. Petersburg court sentenced four members—Artem Zaets to 4.5 years, Alexei Malozemov to 5 years, Daniil Puzyrevsky to 6 years, and Ruslan Khansvyarov to 5.5 years—for these charges spanning activities from 2015 onward. In June 2025, another four—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—received 5-year sentences for similar and offenses but were released immediately, having served equivalent time in since their January 2022 arrests; the court also confiscated their luxury vehicles and cash holdings valued in the hundreds of thousands of dollars. Extradition of Russian REvil members to the United States was explicitly ruled out by authorities, citing the absence of an extradition treaty between the two countries and Russia's longstanding policy against extraditing its nationals. This contrasted with the case of Ukrainian affiliate Yaroslav Vasinskyi, who was arrested in Poland and extradited to the U.S. in 2022, where he pleaded guilty and received a 13-year sentence in May 2024 for deploying REvil ransomware in attacks causing over $700 million in global damages. U.S. officials welcomed the Russian arrests but noted limited transparency on whether the detained individuals would face accountability for attacks on American victims, such as the Colonial Pipeline incident.

Key Figures and Infrastructure

Prominent Affiliates and Aliases

REvil, a ransomware-as-a-service (RaaS) operation, primarily operated under the alias Sodinokibi, named after a compromised code-signing certificate exploited in its initial malware variants discovered in April 2019. The group occasionally used additional monikers such as "Sodi" in internal communications and leak site branding, but Sodinokibi remained the dominant technical identifier for its encryptor payloads. Prominent affiliates included Yaroslav Vasinskyi, a Ukrainian national operating under the online alias "Rabotnik" or REvil affiliate #22, who deployed the in thousands of attacks from 2018 to 2021, generating over $700 million in demands. Vasinskyi was responsible for high-profile incidents, including the June 2021 supply-chain attack on Kaseya's VSA software, which compromised up to 1,500 downstream organizations worldwide and prompted a $70 million demand. He was arrested in on November 6, 2021—later transferred from amid proceedings—and extradited to the , where he pleaded guilty and received a prison sentence on May 1, 2024. In , the arrested 14 individuals linked to REvil on January 14, 2022, following a U.S. request, targeting alleged developers, administrators, and money launderers across , St. Petersburg, and other regions. Seized assets included servers hosting builders, wallets holding millions in , and luxury vehicles valued at over $1 million. Among the detainees, Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev admitted involvement in development and operations; they were sentenced to prison terms in October 2024 under Russia's Article 272 for unlawful computer access, marking rare domestic accountability for such actors. Other arrestees, including Daniil Puzyrevsky, Artem Zayets, Alexey Malozemov, and Ruslan Khansvyarov, received suspended or minimal sentences for ancillary crimes like () and were released by June 2025 after , highlighting Russia's selective prosecution focused on non-Western targets. These affiliates handled infrastructure maintenance, victim negotiations, and payout distributions, with the group reportedly earning over $100 million annually at its peak. U.S. indictments targeted additional Russian operators, such as Yevgeniy Mikhailovich Polyanin (aliases "Jane Doe 1" and "Polynomio"), charged in November 2021 for deploying REvil against U.S. , including healthcare and government entities in , causing millions in damages. Polyanin remains at large, with the FBI offering a reward for information leading to his arrest. These cases underscore REvil's RaaS model, where core developers provided tools to affiliates in exchange for 20-30% cuts of ransoms, enabling scalable attacks while maintaining operational anonymity through Tor sites and .

Operational Tools and Dark Web Presence

REvil operated as a Ransomware-as-a-Service (RaaS) platform, where a core development team supplied customized payloads to affiliates in exchange for a 40% share of ransom proceeds. The primary , known as Sodinokibi or REvil, employed Salsa20 for file encryption, targeting user files and rapidly encrypting entire drives while supporting execution in Windows to evade detection. It established persistence through scheduled tasks and registry run keys, appended the ".revil" extension to encrypted files, and dropped ransom notes instructing victims to contact operators via unique Tor-based negotiation sites. Affiliates gained initial access through methods including exploitation of unpatched vulnerabilities, such as the zero-day in VSA (CVE-2021-30116) used in the July 2021 supply-chain attack affecting approximately 1,500 organizations, phishing campaigns, and brute-force attacks on (RDP) endpoints. Auxiliary tools like Cobalt Strike beacons for command-and-control and malware for lateral movement facilitated deployment, often combined with double-extortion tactics involving prior to encryption to pressure victims. A built-in backdoor mechanism allowed core operators to communicate directly with victims, circumventing affiliates if needed. On the , REvil maintained a Tor-hidden "Happy " for public announcements, victim listings, and taunting , alongside dedicated leak sites where non-paying victims' stolen data was published or auctioned. The group's infrastructure encompassed one primary data leak site and 22 supporting data-hosting Tor sites used for ransom negotiations, data dumps, and operational coordination, with clearweb payment portals like decoder[.]re linking to these services. Affiliates recruited via Russian-language forums such as XSS.is, where REvil advertised its RaaS offerings, including a 2020 bounty of $1 million to attract developers. These sites went offline following disruptions in July 2021, displaying "Onionsite Not Found" errors.

Impact and Analysis

Economic and Operational Consequences

The REvil ransomware group amassed significant illicit revenues through its ransomware-as-a-service model, publicly boasting profits exceeding $100 million in the year leading up to October 2020 via extortion of businesses across multiple sectors worldwide. In high-profile incidents, victims faced demands in the tens of millions; for instance, during the July 2021 supply-chain compromise of Kaseya's VSA software, REvil initially sought $70 million in Bitcoin for a universal decryptor capable of restoring access for all affected systems, later reducing the figure to $50 million, while issuing smaller demands such as $45,000 to individual managed service providers. The June 2021 attack on JBS S.A. resulted in the meat processor paying roughly $11 million to regain control of encrypted systems and prevent data publication. These payouts, combined with recovery expenses, downtime losses, and potential regulatory fines, imposed multifaceted financial burdens on victims, often escalating beyond initial ransoms due to indirect costs like reputational damage and forensic investigations. Operationally, REvil's campaigns inflicted severe disruptions on critical infrastructure and supply chains. The Kaseya breach, exploiting a zero-day vulnerability, propagated ransomware to as many as 1,500 downstream organizations in at least 17 countries, compelling many managed service providers and their clients—spanning retail, healthcare, and education—to suspend IT-dependent operations, with some victims negotiating individual ransoms up to $5 million amid encrypted data and leaked samples on REvil's dark web portal. Similarly, the JBS assault halted meat processing at 13 U.S. facilities alongside plants in Australia and Canada starting May 30, 2021, temporarily constraining global protein supplies, elevating livestock futures volatility, and prompting consumer concerns over availability, though the company restored most functions within days via backups and the ransom payment. REvil's tactics, including data exfiltration prior to encryption—as seen in JBS where up to 5 terabytes were stolen over months—amplified threats by enabling double extortion, forcing prolonged shutdowns for compliance and threat hunting even among payers. Such incidents underscored vulnerabilities in interconnected ecosystems, leading to cascading effects like deferred services and heightened cybersecurity expenditures across affected industries.

Debates on Ransom Payments and Sanctions

The (FBI) and other U.S. authorities have consistently advised against paying ransoms to ransomware groups like REvil, arguing that such payments fund criminal operations, incentivize future attacks, and provide no guarantee of or decryption key delivery. In REvil's case, victims such as paid approximately $11 million in on May 31, 2021, following an attack that halted meat processing operations, yet REvil continued operations and escalated demands in subsequent incidents like the July 2021 supply-chain compromise, where affiliates sought up to $70 million. Empirical analyses indicate that organizations paying ransoms face heightened risks of repeat victimization, with studies showing that paid victims experience subsequent attacks at rates up to four times higher than non-payers, as funds enable groups like REvil to scale infrastructure and recruit affiliates. Proponents of prohibiting ransom payments, including experts at the , contend that legal bans could disrupt the economic model sustaining REvil and similar ransomware-as-a-service operations by denying revenue streams, potentially reducing attack frequency despite short-term challenges for victims lacking robust backups. Critics, however, highlight enforcement difficulties and the potential for increased operational downtime in critical sectors, as seen in REvil's attack affecting over 1,500 downstream entities; they argue that payments, while ethically fraught, enable quicker recovery when backups fail, though data shows only 8% of payers fully regain access without additional costs. No comprehensive ban has been enacted in major jurisdictions as of 2025, with debates centering on balancing victim autonomy against broader deterrence, informed by REvil's estimated $200 million in total extortions before its 2021 disruption. On sanctions, the U.S. Department of the Treasury designated REvil infrastructure and operators, including affiliates like Mikhail Matveev and Vasinskyi, under 13694 in November 2021, blocking U.S. persons from transactions and aiming to sever cryptocurrency laundering channels used by the group. These measures complemented State Department rewards of up to $10 million for information leading to REvil leaders' arrest, targeting the group's reliance on exchanges. Effectiveness remains debated: sanctions disrupted REvil's financial flows and coincided with the group's operational halt in October 2021 after infrastructure seizures, but attribution to sanctions versus parallel U.S.- diplomatic pressures or internal fractures is unclear, as REvil affiliates reemerged under new banners like Cartel. Broader sanctions discourse questions their impact on state-harboring nations like , where REvil operated with apparent impunity; while financial restrictions hinder monetization, experts note limited deterrence absent cooperation, as evidenced by REvil's persistence post-initial 2021 actions until operations dismantled servers. Proponents argue sanctions signal resolve and degrade capabilities over time by complicating affiliate recruitment and tool development, yet empirical outcomes show revenues rising industry-wide despite targeted actions, underscoring the need for multilateral enforcement to counter evasion via rebranding and jurisdictional havens.

Cybersecurity Lessons and Long-Term Effects

The REvil operations, particularly the July 2021 Kaseya supply chain compromise affecting up to 1,500 organizations worldwide, underscored the critical vulnerabilities in managed service providers (MSPs) and third-party software ecosystems. Attackers exploited unpatched flaws in VSA software, such as CVE-2021-30116, to deploy via legitimate update mechanisms, bypassing traditional perimeter defenses. This incident highlighted the need for rigorous , including vendor vetting, continuous monitoring of upstream software, and rapid patch deployment to prevent lateral movement across interconnected networks. Cybersecurity experts recommend adopting Zero Trust architectures, enforcing (MFA) beyond simple credentials, and segmenting networks to limit blast radius, as REvil's tactics often involved weak session management and unmonitored administrative tools. Immutable, air-gapped backups emerged as a proven , enabling recovery without payments, which REvil demanded in amounts up to $70 million for universal decryptors. International law enforcement coordination, exemplified by Operation Cronos in June 2021 involving the FBI, Estonian authorities, and Swiss police, demonstrated the efficacy of disrupting infrastructure through server seizures and tracing, leading to REvil's operational hiatus. However, the group's partial resurgence and arrests of affiliates in and revealed limitations, including safe havens in non-extraditing jurisdictions and the adaptability of Ransomware-as-a-Service (RaaS) models. Post-REvil, cybersecurity practices evolved toward proactive threat hunting and endpoint detection tools, with CISA issuing MSP-specific guidance for and incident response. Organizations learned to avoid payments, as funds from victims like JBS's $11 million payout in May 2021 fueled further attacks, prompting stricter clauses excluding payments to sanctioned actors. Long-term, REvil's demise accelerated ransomware ecosystem fragmentation, with successors like LockBit adopting refined RaaS tactics, contributing to a 9% year-over-year rise in U.S. complaints by 2022 despite targeted disruptions. The attacks influenced U.S. policy, including heightened bounties (e.g., $10 million for REvil leaders) and executive actions on critical infrastructure resilience, fostering global norms against harboring cybercriminals. Yet, persistent trends show takedowns yield only temporary reductions in activity, as affiliates rebrand and exploit unpatched vulnerabilities, emphasizing ongoing needs for sovereign cooperation and private-sector intelligence sharing to counter state-tolerated cybercrime. By 2025, REvil's legacy includes elevated supply chain scrutiny in software bills of materials (SBOMs) and a shift toward AI-driven anomaly detection, though global attack volumes remain elevated due to economic incentives undeterred by enforcement gaps.

References

  1. https://www.akamai.com/glossary/what-is-revil
  2. https://www.mitre.org/sites/default/files/2022-09/pr-21-3872-revil-paper-summary-and-overview.pdf
  3. https://www.justice.gov/archives/opa/speech/attorney-general-merrick-b-garland-deputy-attorney-general-lisa-o-monaco-and-fbi-director
  4. https://www.hhs.gov/sites/default/files/revil-update-tlpwhite.pdf
  5. https://www.secureworks.com/blog/revil-the-gandcrab-connection
  6. https://www.secureworks.com/research/revil-sodinokibi-ransomware
  7. https://www.cyber.nj.gov/threat-landscape/ransomware/ransomware-variants/sodinokibi-revil
  8. https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
  9. https://www.cybereason.com/blog/research/the-sodinokibi-ransomware-attack
  10. https://www.ibm.com/think/x-force/sodinokibi-revil-ransomware-disrupt-trade-secrets
  11. https://analyst1.com/wp-content/uploads/2022/09/History-of-REvil.pdf
  12. https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  13. https://www.csoonline.com/article/570101/revil-ransomware-explained-a-widespread-extortion-operation.html
  14. https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive
  15. https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/
  16. https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/
  17. https://abovethelaw.com/2020/05/lady-gaga-documents-leaked-after-law-firm-was-hacked/
  18. https://www.ibm.com/think/x-force/2022-x-force-threat-intelligence-index-ransomware-resilience-tops-findings
  19. https://securelist.com/ransomware-world-in-2021/102169/
  20. https://www.cybereason.com/blog/sodinokibi/revil-ransomware-gang-hit-acer-with-50m-ransom-demand
  21. https://www.cybereason.com/blog/sodinokibi-ransomware-gang-extorts-apple-through-supply-chain-attack
  22. https://www.npr.org/2021/06/03/1002819883/revil-a-notorious-ransomware-gang-was-behind-jbs-cyberattack-the-fbi-says
  23. https://www.fortinet.com/blog/threat-research/new-supply-chain-ransomware-attack-targets-kaseya-platform
  24. https://www.blackfog.com/revil-ransomware-rise-and-fall/
  25. https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
  26. https://www.bbc.com/news/technology-57826851
  27. https://www.trellix.com/blogs/research/dismantling-a-prolific-cybercriminal-empire/
  28. https://www.darkreading.com/threat-intelligence/revil-revival-ransomware-gangs-gone
  29. https://therecord.media/ransomware-gang-takedown-proliferation
  30. https://www.group-ib.com/blog/revil-raas/
  31. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/
  32. https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/
  33. https://www.tripwire.com/state-of-security/secret-backdoor-allegedly-lets-the-revil-ransomware-gang-scam-its-own-affiliates
  34. https://www.picussecurity.com/resource/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware
  35. https://threatmon.io/revil-ransomware-malware-analysis/
  36. https://stonefly.com/blog/revil-sodinokibi-ransomware-analysis-backup-protection/
  37. https://heimdalsecurity.com/blog/sodinokibi-ransomware-101/
  38. https://krebsonsecurity.com/2020/06/revil-ransomware-gang-starts-auctioning-victim-data/
  39. https://vipre.com/glossary-terms/what-is-revil-ransomware-evil/
  40. https://www.reuters.com/technology/jbs-paid-11-mln-response-ransomware-attack-2021-06-09/
  41. https://www.bloomberg.com/news/articles/2021-05-31/meat-is-latest-cyber-victim-as-hackers-hit-top-supplier-jbs
  42. https://www.wsj.com/tech/cybersecurity/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781
  43. https://www.cnbc.com/2021/06/01/big-north-american-meat-plants-halt-operations-after-jbs-cyberattack.html
  44. https://www.bleepingcomputer.com/news/security/jbs-paid-11-million-to-revil-ransomware-225m-first-demanded/
  45. https://securityscorecard.com/blog/jbs-ransomware-attack-started-in-march/
  46. https://www.npr.org/2021/06/09/1004964822/jbs-paid-an-11-million-ransom-to-cyberattackers
  47. https://jbsfoodsgroup.com/articles/jbs-usa-cyberattack-media-statement-june-9
  48. https://www.npr.org/2021/06/02/1002604418/jbs-cyberattack-just-the-latest-major-company-to-be-shut-down-by-hackers
  49. https://investigatemidwest.org/2023/06/08/jbss-cybersecurity-was-unusually-poor-prior-to-2021-ransomware-attack-internal-homeland-security-records-show/
  50. https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains
  51. https://www.varonis.com/blog/revil-msp-supply-chain-attack
  52. https://www.zscaler.com/cxorevolutionaries/insights/threatlabz-june-2021-report-deconstructing-kaseya-supply-chain-attack-and-minebridge-rat
  53. https://purplesec.us/breach-report/kaseya-ransomware-attack-explained/
  54. https://www.npr.org/2021/07/05/1013117515/scale-details-of-massive-kaseya-ransomware-attack-emerge
  55. https://www.hipaajournal.com/kaseya-ksa-supply-chain-attack-revil-ransomware/
  56. https://www.npr.org/2021/07/03/1012849198/ransomware-cyber-attack-revil-attack-huntress-labs
  57. https://www.darkreading.com/cyberattacks-data-breaches/cyberattack-on-kaseya-nets-more-than-1-000-victims-70m-ransom-demand
  58. https://www.bbc.com/news/technology-57719820
  59. https://www.watchguard.com/wgrd-news/blog/msps-main-victims-kaseya-ransomware-attack
  60. https://www.csis.org/analysis/kaseya-ransomware-attack-demands-action-match-rhetoric
  61. https://www.wired.com/story/revil-ransomware-kaseya-flaw-fix-disclosure-april/
  62. https://www.bbc.com/news/business-51017852
  63. https://www.bankinfosecurity.com/travelex-paid-23-million-to-ransomware-attackers-report-a-14094
  64. https://www.bleepingcomputer.com/news/security/travelex-reportedly-paid-23-million-ransom-to-restore-operations/
  65. https://www.wired.com/story/apple-ransomware-attack-quanta-computer/
  66. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti
  67. https://cybervie.com/what-is-revil-ransomware/
  68. https://www.sentinelone.com/anthology/revil/
  69. https://www.reuters.com/technology/biden-says-uncertain-who-is-behind-latest-ransomware-attack-2021-07-03/
  70. https://www.csoonline.com/article/571323/yes-the-fbi-held-back-revil-ransomware-keys.html
  71. https://www.computerweekly.com/news/252508564/Multi-government-operation-targets-REvil-ransomware-group
  72. https://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged
  73. https://www.justice.gov/archives/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
  74. https://www.reuters.com/technology/five-hackers-linked-ransomware-gang-revil-arrested-since-feb-europol-2021-11-08/
  75. https://www.cbsnews.com/news/ransomware-russia-arrests-revil/
  76. https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/
  77. https://www.silicon.co.uk/security/cyberwar/revil-russia-arrests-436989
  78. https://securityboulevard.com/2022/01/russias-fsb-arrests-revil-players-at-u-s-request/
  79. https://www.myredfort.com/cloud-security/airnow/russia-arrests-14-members-of-top-ransomware-gang-in-the-world/
  80. https://www.nytimes.com/2022/01/14/world/europe/revil-ransomware-russia-arrests.html
  81. https://www.wsj.com/tech/cybersecurity/russia-says-it-raided-prolific-ransomware-group-revil-with-arrests-seizures-11642179589
  82. https://www.fpri.org/article/2022/08/restraining-russian-ransomware/
  83. https://therecord.media/revil-cybercrime-gang-members-released-russia
  84. https://cyberscoop.com/revil-ransomware-sentence-russia-time-served/
  85. https://www.bleepingcomputer.com/news/security/revil-hackers-released-after-time-served-on-carding-charges/
  86. https://www.theregister.com/2025/06/24/four_revil_ransomware_suspects_time_served/
  87. https://www.scworld.com/brief/revil-ransomware-members-freed-by-russia-after-conviction
  88. https://databreaches.net/2025/06/24/four-revil-ransomware-members-released-after-time-served-on-carding-charges/
  89. https://www.recordedfuture.com/research/dark-covenant-3-controlled-impunity-and-russias-cybercriminals
  90. https://insight.scmagazineuk.com/revil-ransomware-members-freed-by-russia-after-conviction
  91. https://www.s-rminform.com/latest-thinking/crackdowns-and-takedowns-disrupting-ransomware-in-2025
  92. https://www.justice.gov/archives/opa/pr/sodinokibirevil-affiliate-sentenced-role-700m-ransomware-scheme
  93. https://www.darktrace.com/blog/staying-ahead-of-revils-ransomware-as-a-service-business-model
  94. https://unit42.paloaltonetworks.com/revil-threat-actors/
  95. https://www.scworld.com/analysis/revil-reawakening-happy-blog-leak-site-returns
  96. https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/analyzing-the-revil-ransomware-attack
  97. https://www.cnn.com/2021/07/06/tech/kaseya-ransomware-what-we-know
  98. https://www.justice.gov/archives/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas
  99. https://abcnews.go.com/Politics/doj-charges-men-men-allegedly-revil-ransomware-attacks/story?id=81037690
  100. https://www.npr.org/2021/11/08/1053599349/u-s-indicts-2-men-behind-ransomware-attacks-over-the-summer
  101. https://thehackernews.com/2024/10/four-revil-ransomware-members-sentenced.html
  102. https://www.securityweek.com/four-revil-ransomware-group-members-sentenced-to-prison-in-russia/
  103. https://www.bbc.com/news/technology-59998925
  104. https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/
  105. https://www.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million
  106. https://www.mitnicksecurity.com/blog/who-is-revil-the-notorious-ransomware-hacking-group-explained
  107. https://www.ironnet.com/blog/russias-ransomware-and-revil-shutdown
  108. https://socradar.io/top-10-deep-web-and-dark-web-forums/
  109. https://www.forbes.com/sites/simonchandler/2020/10/06/revil-ransomware-gang-offers-1-million-as-part-of-recruitment-drive/
  110. https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/
  111. https://www.cbsnews.com/news/ransomware-attack-revil-hackers-demand-70-million/
  112. https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html
  113. https://www.bbc.com/news/business-57423008
  114. https://www.cybereason.com/blog/revil-ransomware-attacks-implications-for-kaseya-msps-and-businesses
  115. https://www.sentinelone.com/blog/when-jbs-met-revil-ransomware-why-we-need-to-beef-up-critical-infrastructure-security/
  116. https://chertoffgroup.com/jbs-sa-ransomware-attack-security-bulletin/
  117. https://www.fbi.gov/news/speeches-and-testimony/cracking-down-on-ransomware-strategies-for-disrupting-criminal-hackers-and-building-resilience-against-cyber-threats
  118. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a
  119. https://www.hsgac.senate.gov/library/files/americas-data-held-hostage-case-studies-in-ransomware-attacks-on-american-companies/
  120. https://www.fincen.gov/system/files/advisory/2021-11-08/FinCEN%2520Ransomware%2520Advisory_FINAL_508_.pdf
  121. https://www.brookings.edu/articles/should-ransomware-payments-be-banned/
  122. https://www.bankinfosecurity.com/case-study-revil-ransom-negotiation-a-17106
  123. https://invenioit.com/security/pay-the-ransom/
  124. https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
  125. https://home.treasury.gov/news/press-releases/jy0471
  126. https://www.mofo.com/resources/insights/211111-us-government-takes-increasingly-aggressive-actions
  127. https://2021-2025.state.gov/reward-offers-for-information-to-bring-sodinokibi-revil-ransomware-variant-co-conspirators-to-justice/
  128. https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/
  129. https://www.hipaajournal.com/international-law-enforcement-operation-takes-down-revil-ransomware-gangs-infrastructure/
  130. https://www.cybersecurity-insiders.com/can-sanctions-stop-ransomware-attacks-and-state-funded-cyber-attacks-can-sanctions-stop-ransomware-attacks-and-state-funded-cyber-attacks/
  131. https://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=2116&context=auilr
  132. https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/Countering-Ransomware-Financing.pdf.coredownload.pdf
  133. https://www.cisa.gov/news-events/news/kaseya-ransomware-attack-guidance-affected-msps-and-their-customers
  134. https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr
  135. https://www.darkreading.com/cyberattacks-data-breaches/3-security-lessons-learned-from-the-kaseya-ransomware-attack
  136. https://www.arcserve.com/blog/lessons-ransomware-survival-revil-hackers-demand-70-million
  137. https://www.bankinfosecurity.com/revil-revelations-law-enforcement-behind-disruptions-a-17779
  138. https://www.blumira.com/blog/revils-ransomware-attack-kaseya
  139. https://www.fortinet.com/resources/cyberglossary/ransomware-statistics
  140. https://www.lawfaremedia.org/article/revil-down-now
  141. https://www.s-rminform.com/cyber-intelligence-briefing/temporary-disruption-or-long-term-impact-are-ransomware-takedowns-decreasing-cybercrime
  142. https://www.irjmets.com/uploadedfiles/paper//issue_4_april_2025/73563/final/fin_irjmets1745434264.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.