REvil - SparTech Software

REvil, also known as Sodinokibi or Sodin, was one of the most prolific and notorious ransomware-as-a-service (RaaS) operations, active from April 2019 until its official dismantling in January 2022. The group was primarily Russian-speaking and believed to be based in Russia, with its name inspired by the “Resident Evil” franchise.

REvil Structure and Modus Operandi

REvil operated as a business, developing ransomware and leasing it to affiliates who carried out attacks. The core group maintained the code, managed payment and leak sites, and took a percentage (20–30%) of the ransom proceeds, while affiliates executed the breaches and infections. The group exploited zero-day vulnerabilities, breached Remote Desktop Protocol (RDP) servers, and used phishing emails to infiltrate organizations. Once inside, they encrypted files and exfiltrated sensitive data, threatening to leak or auction it unless a ransom was paid—a tactic known as double extortion.

They typically targeted high-profile organizations globally, including JBS (the world’s largest meat processor), Kaseya (IT management software provider), Colonial Pipeline, and the law firm Grubman Shire Meiselas & Sacks.

REvil is widely believed to be the successor to the GandCrab ransomware group, which shut down in mid-2019. Much of REvil’s code and tactics trace back to GandCrab, and several operators reportedly transitioned directly from GandCrab to REvil.

Law Enforcement Actions and Downfall of REvil

The July 2021 Kaseya attack, which affected over 1,500 businesses, prompted U.S. President Biden to pressure Russian President Putin to act against Russian-based cybercriminals. This led to a coordinated international law enforcement response. In January 2022, Russia’s FSB raided 25 locations, arresting 14 individuals linked to REvil and seizing over $5.6 million in cash and cryptocurrency, as well as luxury vehicles. The U.S. and other countries also arrested and prosecuted affiliates, including Ukrainian national Yaroslav Vasinskyi, who was sentenced to 13 years in prison for his role in the Kaseya attack.

Despite the arrests, some REvil infrastructure briefly resurfaced, leading to speculation about whether original members or copycats were behind renewed activity. However, the group’s core operations and reputation were irreparably damaged by law enforcement actions.

Synonyms:

Sodinokibi, Sodin

Russia release 4 members of the REvil ransomware gang.
Four members of the notorious REvil ransomware gang—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—were recently released by Russian authorities after serving time in detention for carding and malware distribution charges. They were initially arrested in January 2022 as part of a broader crackdown on the REvil group, which was responsible for some of the most damaging ransomware attacks in recent years.
Glossary: GandCrab
GandCrab was a highly influential ransomware-as-a-service (RaaS) operation that emerged in January 2018 and quickly became one of the most widespread and profitable cybercriminal enterprises of its time. It pioneered several features and business models that shaped the modern ransomware landscape.
Should you pay the ransomware demands now or a class-action lawsuit later? The decision is not as simple as you may think.
AT&T agreed to a $177 million settlement to resolve class action lawsuits stemming from two major data breaches, far greater than the estimated $800 thousand ransomware demand. So why did AT&T choose to refuse the cybercriminals' demands?
BERT Ransomware Group Launches Cross-Platform Attacks Throughout Asia and Europe.
Researchers say the BERT ransomware group has rapidly expanded its operations across Asia and Europe, with additional activity observed in the United States. BERT’s cross-platform ransomware campaigns have targeted a diverse range of sectors, including healthcare, manufacturing, technology, event services, and maritime transportation.
Glossary: QakBot
QakBot (also known as Qbot or Pinkslipbot) is a sophisticated malware that originated in 2008 as a banking trojan but evolved into a multi-purpose cybercriminal tool.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

REvil Structure and Modus Operandi

Law Enforcement Actions and Downfall of REvil

Related