REvil
REvil, also known as Sodin and Sodinokibi, is a Russia-based ransomware family and ransomware-as-a-service (RaaS) operation described as a successor to GandCrab. It is associated with Russian-speaking cybercrime activity and long-term affiliates, and reporting cited in the content notes links to Russia-based actors. REvil is known for financially motivated double-extortion operations in which it encrypts victim systems and exfiltrates data for additional leverage via leak-site publication or auction.
The malware has been distributed via malicious email attachments, including Microsoft Word documents, and has also been deployed following exploitation of internet-facing vulnerabilities and remote management software. The content specifically links REvil/Sodinokibi activity to exploitation of Pulse Connect Secure vulnerability CVE-2019-11510 and to the July 2021 Kaseya VSA supply-chain attack, which used zero-day vulnerabilities including CVE-2021-30116 and CVE-2021-30120 to bypass authentication and deploy ransomware to downstream customer networks. Another cited intrusion identified ConnectWise Control as the root point of compromise.
Behaviorally, REvil can exfiltrate host and malware information to command-and-control servers and uses encrypted C2 communications with the ECIES algorithm. It has used PowerShell to download files and delete volume shadow copies, and can also use vssadmin to delete shadow copies and bcdedit to disable recovery features. The malware can use WMI to monitor for and kill specific processes listed in its configuration, can connect to and disable a Symantec server on a victim network, and can query the Registry to obtain random file extensions to append to encrypted files. It also performs locale-based self-exclusion by checking system language via GetUserDefaultUILanguage and GetSystemDefaultUILanguage and terminating if the language matches an exclusion list. Reporting also notes use of reflective DLL loading techniques in Sodinokibi campaigns.
REvil has been tied in the content to multiple high-profile incidents and victims, including the Kaseya VSA attack affecting fewer than 60 direct customers and more than 1,500 downstream businesses, the compromise of Quanta Computer, attacks against Acer, and the intrusion into entertainment law firm Grubman Shire Meiselas & Sacks. In the Kaseya incident, REvil demanded up to $70 million in Bitcoin for a universal decryptor, with other demands including $5 million from MSPs and $44,999 from individual businesses. The content also states that REvil set ransom demands as high as $42 million in the GSMLaw incident and threatened staged publication of 756GB of stolen data. Industries and sectors explicitly referenced include managed service providers, technology manufacturing, entertainment/media, and broader enterprise victims worldwide.
The content further notes that REvil infrastructure disappeared after July 2021 amid pressure from law enforcement and the White House, later briefly reappeared, and that U.S. authorities charged Yaroslav Vasinskyi in connection with deploying Sodinokibi/REvil, including the Kaseya attack. High-confidence aliases from the content are REvil, Sodin, and Sodinokibi.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Previously, Pulse Connect Secure has been targeted by a variety of threat actors including ransomware groups and other nation-state aligned threat actors over the last five years: CVE-2019-11510 Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability. | We’ve also published several blog posts about vulnerabilities in Pulse Connect Secure: ... CVE-2019-11510: Critical Pulse Connect Secure Vulnerability Used in Sodinokibi Ransomware Attacks
The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks. | In early 2021, Quanta Computer, a Taiwanese technology manufacturer and Apple partner, was compromised by the REvil ransomware group... The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
In early 2021, Quanta Computer, a Taiwanese technology manufacturer and Apple partner, was compromised by the REvil ransomware group... The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks. | The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
One group known for pivoting is Evil Corp., the gang behind Revil. Revil’s tactics align with why a threat group would target an insurance provider.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.
"REvil, also known as Sodinokibi, emerged in 2019 and is widely believed to have evolved out of the GandCrab ransomware group."
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe U.S. and German government’s action today addresses the abuse of virtual currency to launder ransom payments.
Initial Access
2 techniquesTetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
6 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Once the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
Overall, attackers can use LoLBins to: Download and install malicious code Executing malicious code... These campaigns can be relatively easily detected by internal hunting teams by analyzing command lines and their options.
Its logs revealed that a base64 encoded Windows PowerShell script command was staged, submitted, and completed by the threat actor.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Persistence
3 techniquesOnce the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
Tetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Privilege Escalation
2 techniquesOnce the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
Stealth
8 techniquesThe Invoke-Obfuscation module is often used to create polymorphic obfuscated variants... The downloaded code is a reflective DLL loader with randomized function names to avoid simple pattern-based detection engines... This cryptocurrency miner had five deobfuscation stages.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
"Akira will execute PowerShell commands to delete system volume shadow copies" and "REvil has used PowerShell to delete volume shadow copies."
Tetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
One popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins"... LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.
Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API... the obfuscated Cobalt Strike beacon... gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Discovery
4 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
"InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname" and "Pikabot performs a variety of system checks and gathers system information, including commands such as whoami."
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.
Lateral Movement
1 techniqueThey confirmed the ransomware variant as Sodinokibi/REvil, and the root point of compromise to be from a cloud-based RMM (Remote Management and Monitoring) solution named “ConnectWise Control.”
Collection
1 techniqueIn ScreenConnect, when extended logging is enabled, all screenshare sessions are recorded, so anytime someone (authorized or not) remotes into a computer using the software, user activity is captured.
Command and Control
3 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Overall, attackers can use LoLBins to: Download and install malicious code... The usage of LoLBins has been frequently combined with legitimate cloud services such as GitHub, Pastebin, Amazon S3 storage and cloud drives such as Dropbox, Box and Google Drive.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Impact
3 techniquesThe second stage of the script actually executed the Sodinokibi ransomware, encrypted targeted files on the system, and rendered them inaccessible.
The script also removed Windows Volume Shadow Copies — this prevents restoring the device.
He and his co-conspirators demanded ransom payments in cryptocurrency and used exchangers and mixing services to hide the money. | If targeted organizations refused to pay, the attackers “threatened to publicly disclose victims’ data.”
Other
1 techniqueIOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...
Ransomware operated by affiliates and linked to the REvil gang; it succeeded GandCrab and was used in high-profile extortion attacks, including supply-chain incidents.
A ransomware family and successor/incarnation of GandCrab, used in large-scale extortion campaigns against major organizations, including the 2021 Kaseya supply chain attack.
A ransomware family whose samples were observed embedding numerous commands to terminate antivirus-related processes and services, aiding successful encryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.