REvil
REvil, also known as Sodinokibi and Sodin, is a Russian-speaking, Russia-linked ransomware-as-a-service (RaaS) cybercriminal operation and is described in the content as based in Russia or likely based in a CIS country. The group emerged in 2019 as a successor to GandCrab and became one of the most prolific ransomware threats on the dark web. REvil operated through affiliates, and the content notes former affiliates and disputes within its ecosystem, including reporting that affiliates were caught being pilfered by operators and that a former REvil affiliate was linked to later deployments. The group is also described as now-defunct in some reporting, though its infrastructure temporarily reappeared after prior disruption. The content attributes to REvil financially motivated ransomware and double-extortion operations: affiliates encrypt victim systems, exfiltrate internal data, and threaten to leak, publish, or auction stolen information if payment is not made. Mentioned tactics include spearphishing to identify worthwhile targets, use of leak sites including the "Happy Blog," ransom negotiation through Tor-based portals, and exploitation of zero-day vulnerabilities. REvil is specifically linked to the July 2021 Kaseya VSA supply-chain attack, in which it exploited zero-day vulnerabilities in Kaseya VSA, impacted managed service providers and more than 1,000 downstream businesses, and demanded up to $70 million in Bitcoin for a universal decryptor. The content also references the 2021 Quanta compromise, the JBS incident, attacks on Grubman Shire Meiselas & Sacks involving theft and threatened auction of celebrity-related data, and a claimed breach of Invenergy in which REvil said it stole 4 TB of data without encrypting systems. Targets mentioned in the content include technology companies, managed service providers, retailers, critical infrastructure, law firms, energy companies, manufacturers, and U.S.-based organizations. The group is described as attacking companies and critical infrastructures around the world. The content also notes law-enforcement action and disruption: U.S. rewards were offered for information on REvil members, Bitdefender released a universal decryptor with a law-enforcement partner for pre-July 13, 2021 victims, four alleged REvil members were reportedly sentenced in Russia, and Yaroslav Vasinskyi was charged by the U.S. for deploying Sodinokibi/REvil including in the Kaseya attack. Known aliases directly mentioned are REvil, Sodinokibi, and Sodin.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
The threat actors behind the DearCry ransomware have already used the ProxyLogon vulnerability to deploy their ransomware...
The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an example of negotiation-portal pressure design, specifically using a countdown timer when a victim first visited the leak page.
Ransomware-as-a-service operations that industrialized extortion with affiliate programs, negotiation support, revenue sharing, and organized business-like operations.
Operated as a ransomware-as-a-service group that industrialized extortion with affiliate programs, negotiation support, and revenue-sharing arrangements.
A ransomware group that succeeded GandCrab and conducted large-scale extortion operations, including a notable supply chain attack against Kaseya affecting up to 1,500 organizations.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.