REvil Ransomware

REvil Ransomware: One of the Most Notorious Ransomware-as-a-Service Operations

REvil, also known as Sodinokibi, is a ransomware strain that emerged in 2019 and quickly became one of the most dangerous and profitable ransomware-as-a-service (RaaS) groups. Known for targeting high-profile organizations and demanding multi-million-dollar ransom payments, REvil combines file encryption with data exfiltration and public shaming tactics to maximize pressure on victims.

Introduction to REvil Ransomware

Developed by a cybercriminal group believed to have Russian origins, REvil is often used in highly targeted attacks. Affiliates of the REvil group are responsible for gaining initial access to victim networks, after which they deploy the ransomware, steal sensitive data, and demand ransoms. REvil’s operators are infamous for negotiating publicly, leaking stolen data, and conducting massive, disruptive attacks against organizations worldwide.

1. How REvil Ransomware Works

Infection Mechanism:
REvil ransomware typically spreads through phishing emails, malicious attachments, and exploiting vulnerabilities in software such as remote desktop protocol (RDP) services and VPN appliances. Affiliates often gain access through stolen credentials or by purchasing access from initial access brokers.

Encryption and Extortion Process:
Once inside the network, attackers move laterally, escalate privileges, and exfiltrate sensitive data. They then deploy REvil to encrypt files using robust encryption algorithms (AES for files and RSA for encryption keys). Victims are presented with ransom notes demanding payment in exchange for decryption keys and a promise not to publish the stolen data.

Double Extortion Tactics:
REvil pioneered the double extortion model by combining file encryption with data theft. If victims refuse to pay, REvil operators threaten to publish or sell the stolen data on their leak site, called the "Happy Blog."

2. History and Notable Campaigns

Origin and Discovery:
REvil was first discovered in April 2019 and was believed to be the successor to the GandCrab ransomware group. REvil operated as a RaaS, where affiliates conducted attacks while the core developers took a percentage of the ransom payments.

Notable Campaigns:

JBS Foods Attack (2021): REvil attacked JBS, the world’s largest meat processing company, causing widespread disruption in the food supply chain. JBS reportedly paid $11 million in ransom.
Kaseya VSA Supply Chain Attack (2021): REvil exploited vulnerabilities in Kaseya’s VSA software, impacting around 1,500 organizations globally in one of the largest ransomware attacks in history.
Apple Supplier Quanta Computer (2021): REvil demanded $50 million from Quanta and threatened to leak sensitive data related to Apple products.

3. Targets and Impact

Targeted Victims and Sectors:
REvil targets a wide range of industries, including:

Manufacturing
Healthcare
Legal services
IT and software providers
Food and agriculture sectors

Consequences:
Victims of REvil ransomware experience severe operational disruptions, financial losses, and potential regulatory penalties from data breaches. Ransom demands range from hundreds of thousands to tens of millions of dollars, depending on the victim’s size and industry.

4. Technical Details

Payload Capabilities:

File Encryption: Uses AES encryption for files and RSA encryption for keys.
Data Exfiltration: Steals sensitive data to use as leverage in ransom negotiations.
Network Propagation: Moves laterally through networks, often using tools like Cobalt Strike.
Customization: Payloads are customized for each victim, often tailored to target backups, virtual machines, and critical infrastructure.

Command-and-Control (C2):
REvil often communicates through Tor-based sites and anonymous emails. Payment portals and negotiation platforms are usually hosted on the dark web.

5. Preventing REvil Infections

Best Practices:

Implement strong email security to filter phishing emails and attachments.
Regularly patch and update software, especially remote access tools and VPN appliances.
Enforce multi-factor authentication (MFA) on all remote access points.
Segment networks to limit access to critical systems and data.

Recommended Security Tools:

Endpoint detection and response (EDR) solutions to detect lateral movement and privilege escalation.
Intrusion detection/prevention systems (IDS/IPS) to monitor network activity.
Immutable and offline backups to ensure data can be restored without paying a ransom.

6. Detecting and Removing REvil

Indicators of Compromise (IoCs):

Presence of ransom notes such as README.txt in encrypted folders.
Encrypted files with unique extensions, often customized for each victim.
Unusual outbound traffic to Tor networks or C2 domains.
Suspicious administrative tools running unexpectedly (e.g., Cobalt Strike, Mimikatz).

Removal Steps:

Isolate affected systems immediately to prevent further spread.
Identify and remove any persistence mechanisms left by attackers (backdoors, admin accounts).
Eradicate the ransomware payloads and any tools used during the attack.
Restore systems from clean, secure backups after verifying the threat is fully removed.

Professional Help:
Engage an incident response team for containment, eradication, and forensic analysis. Legal and regulatory consultation may also be necessary due to data exfiltration risks.

7. Response to a REvil Attack

Immediate Steps:

Disconnect affected systems from the network.
Notify law enforcement and any regulatory bodies, particularly if personal data was stolen.
Begin recovery using clean backups and rebuild systems as needed.
Consult legal counsel before considering ransom payment—REvil’s operators have been linked to sanctioned entities.

8. Legal and Ethical Implications

Legal Considerations:
Ransom payments may be illegal if the group is tied to sanctioned entities. Organizations must comply with data protection laws and report breaches when sensitive data is exfiltrated.

Ethical Considerations:
Paying ransoms may perpetuate the ransomware economy. Ethical approaches prioritize prevention, transparency, and collaboration with law enforcement over ransom payments.

9. Resources and References

No More Ransom Project: – Information and tools for ransomware victims (no REvil decryptor is available).
CISA Alerts on ransomware mitigation and response strategies.
FBI and Europol Press Releases on actions against REvil.

10. FAQs about REvil Ransomware

Q: What is REvil ransomware?
REvil (Sodinokibi) is a ransomware strain operated by a cybercriminal group that encrypts files, exfiltrates data, and demands ransom payments for decryption and data protection.

Q: How does REvil spread?
REvil spreads through phishing emails, stolen credentials, software vulnerabilities, and often through affiliates in ransomware-as-a-service (RaaS) operations.

Q: Is there a public decryptor for REvil ransomware?
Some REvil decryption keys were released by law enforcement following REvil takedowns, but universal decryptors are not publicly available for all victims.

11. Conclusion

REvil ransomware set the standard for modern ransomware operations, combining file encryption, data theft, and extortion. Despite law enforcement takedowns, its tactics continue to influence other ransomware groups, underscoring the need for comprehensive cybersecurity strategies and preparedness.

« Back to the Virus Information Library

« Back to the Security Center

REvil (Sodinokibi) Ransomware