Background
REvil, also known as Sodinokibi, was one of the most prolific and high-profile ransomware-as-a-service (RaaS) operations from 2019 to 2022. The group emerged as a direct successor to the GandCrab ransomware, which shut down in mid-2019 after its operators claimed to have earned over $2 billion. REvil's development and leadership were attributed to Russian-speaking cybercriminals, with the group's public spokesperson known as "Unknown" (also "UNKN") on underground forums.
REvil pioneered and popularized several tactics that became standard in the ransomware ecosystem. They were among the first to widely adopt double extortion (encrypting data and threatening to leak it), and they operated a well-known data leak site called "Happy Blog." The group also experimented with auctioning stolen data and offered a "ransom-as-a-service" model to other criminal groups. REvil demanded some of the highest ransoms in history, including a $70 million demand following the Kaseya attack.
The group's operations were disrupted multiple times. Russian authorities arrested 14 suspected REvil members in January 2022 at the request of the U.S. government, seizing over $6 million in cryptocurrency. Key affiliate Yaroslav Vasinskyi was arrested in Poland and extradited to the U.S., where he was sentenced to 13 years in prison. The REvil infrastructure was taken offline by a joint operation of multiple intelligence agencies in October 2021, though the group briefly attempted to resurface before final dissolution.
Notable Campaigns
Kaseya VSA Supply Chain Attack (July 2021): REvil's most impactful attack exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya's VSA remote monitoring and management software. Because Kaseya VSA is used by managed service providers (MSPs), the attack cascaded downstream, simultaneously encrypting systems at an estimated 1,500 businesses in 17 countries. REvil demanded $70 million for a universal decryptor. The attack forced Swedish grocery chain Coop to close approximately 800 stores when their POS systems were disabled.
JBS Foods (June 2021): REvil compromised JBS, the world's largest meat processing company, forcing the shutdown of beef plants in the U.S., Canada, and Australia. The attack briefly threatened U.S. meat supply chains and food security. JBS paid an $11 million ransom to restore operations, one of the largest confirmed ransom payments at the time.
Acer (March 2021): REvil demanded a record-breaking $50 million ransom from Taiwanese electronics manufacturer Acer after breaching their network, reportedly through a Microsoft Exchange vulnerability. Stolen financial documents and spreadsheets were posted to the Happy Blog leak site as proof of compromise.
Travelex (December 2019 - January 2020): REvil's attack on foreign exchange company Travelex forced the company to take all systems offline for weeks, disrupting currency exchange services globally. Travelex reportedly paid $2.3 million in ransom. The financial impact of the attack, combined with COVID-19, ultimately contributed to Travelex entering administration (bankruptcy).
Quanta Computer (April 2021): REvil breached Quanta Computer, a major Apple supplier, and stole blueprints for unreleased Apple products. The group initially demanded $50 million from Quanta, then shifted their extortion to Apple directly, threatening to release product schematics ahead of an Apple product launch event.
Tactics, Techniques & Procedures
REvil affiliates used diverse initial access methods, including exploiting public-facing applications (particularly VPN appliances and web servers), leveraging precursor malware infections (Qakbot, IcedID, Trickbot), purchasing access from initial access brokers on underground forums, and conducting RDP brute-force attacks. The Kaseya attack demonstrated REvil's capability for sophisticated supply chain compromises.
Post-compromise operations typically involved credential harvesting using Mimikatz, Active Directory enumeration with tools like AdFind and BloodHound, and lateral movement via PsExec, RDP, and WMI. Before encryption, affiliates disabled security software, deleted volume shadow copies, and exfiltrated valuable data. The ransomware itself supported configuration via a JSON configuration block that controlled encryption behavior, including what file extensions and directories to target or avoid.
REvil's ransomware payload was distributed as a DLL or executable, sometimes sideloaded via legitimate applications to evade security products. The ransomware used Salsa20 for file encryption and Curve25519 for key exchange. It modified the system wallpaper and dropped ransom notes directing victims to a Tor-based payment portal with a built-in chat function for ransom negotiations.
Tools & Malware
- REvil/Sodinokibi Ransomware: The core ransomware payload using Salsa20 stream cipher for file encryption and elliptic-curve Diffie-Hellman (Curve25519) for key management. Available in EXE and DLL formats with extensive configuration options.
- Cobalt Strike: The primary post-exploitation framework used by affiliates for C2, lateral movement, and payload delivery.
- Mimikatz: Used extensively for credential harvesting, particularly LSASS dumps and Kerberos ticket extraction.
- PsExec: Microsoft Sysinternals tool used for remote execution across domain-joined systems during lateral movement.
- Qakbot / IcedID: Banking trojans frequently used as initial access vectors that ultimately deliver REvil to compromised organizations.
- AdFind: Active Directory command-line query tool used for domain reconnaissance.
- MegaSync: Legitimate MEGA cloud storage client used for data exfiltration of large datasets.
- GMER / PCHunter: Anti-rootkit tools repurposed by attackers to identify and disable security products.
Indicators & Detection
REvil-encrypted files carry randomized extensions (typically 5-10 random
alphanumeric characters), and ransom notes follow the naming pattern
[extension]-readme.txt. The ransomware modifies the desktop wallpaper to
display a ransom message. During execution, REvil creates a mutex to prevent
multiple instances and may execute via rundll32.exe when deployed as a DLL.
For Kaseya-style supply chain detection, monitor RMM tools for unexpected software deployment commands, particularly mass execution of scripts or binaries across managed endpoints. Establish baselines for normal RMM activity and alert on deviations. Ensure RMM tools are patched and hardened against exploitation.
Network detection should focus on identifying Cobalt Strike beacon traffic,
large outbound data transfers to cloud storage services, and RDP/SMB lateral
movement that deviates from established baselines. Endpoint detection should
monitor for: deletion of Volume Shadow Copies via vssadmin.exe or wmic.exe;
modification of boot configuration via bcdedit.exe; disabling of Windows
recovery features; and tampering with security software services and processes.
Deploy behavioral detection rules that identify the encryption pattern rather
than relying solely on known file hashes, as REvil payloads are frequently
recompiled with different configurations.