REvil | Threat Actor Profile

A Russia-based ransomware-as-a-service (RaaS) operation that rose from the ashes of GandCrab in April 2019 to become one of the most prolific and feared ransomware syndicates in history. Operating under the leadership of a figure known as UNKN (Unknown), REvil pioneered double extortion at scale, ran one of the first dedicated data leak sites ("Happy Blog"), and orchestrated devastating supply chain attacks that brought ransomware to the level of a national security crisis. At its peak, the group claimed $100 million in annual revenue, operated with approximately 60 affiliates, and demanded over $700 million in total ransoms across more than 2,500 attacks. REvil was dismantled through a combination of international law enforcement operations, internal betrayal, and FSB arrests in January 2022.

attributed origin Russia / CIS (Russian-speaking)

organization type Cybercriminal / Ransomware-as-a-Service

active period April 2019 – October 2021 (defunct Jan 2022)

primary motivation Financial (Ransomware / Data Extortion)

predecessor GandCrab (GOLD GARDEN) — retired May 2019

total ransom demands $700M+ across 2,500+ attacks (DOJ)

total ransom collected $200M+ confirmed; ~175,000 devices infected

mitre att&ck software S0496

us reward $10M (key leadership identification)

Overview

REvil — short for "Ransomware Evil," also tracked as Sodinokibi — was a Russian-speaking ransomware-as-a-service operation that emerged in April 2019 and quickly became one of the dominant forces in the global ransomware ecosystem. The group is widely assessed by Secureworks, Palo Alto Unit 42, and other researchers to be a direct evolution of GandCrab, a prolific RaaS operation that claimed over $2 billion in earnings before its operators announced retirement in May 2019. Code analysis revealed nearly identical string decoding functions, overlapping URL structures, and shared command-and-control patterns between the two families, confirming the connection between GandCrab's developers (tracked as GOLD GARDEN) and REvil's operators (tracked as GOLD SOUTHFIELD by Secureworks and Pinchy Spider by CrowdStrike).

REvil's business model was built on an affiliate program advertised on Russian-speaking underground forums by a user known as UNKN (Unknown). The core development team — estimated at around ten individuals — maintained the ransomware payload, negotiation infrastructure, and the "Happy Blog" data leak site, while affiliates (growing to approximately 60 at peak operation) conducted the actual intrusions. Revenue was split with affiliates receiving 60-70% of ransom payments, rising after three successful payments. UNKN made deliberate efforts to restrict affiliates to Russian-speaking members to prevent law enforcement infiltration.

The group pioneered and refined several tactics that became industry-standard for ransomware operations. REvil was among the earliest ransomware groups to adopt double extortion at scale, launching the Happy Blog in February 2020 to publish stolen data from non-paying victims. The group also introduced DDoS attacks against victims to increase pressure, made direct calls to victims and media outlets, threatened to notify stock exchanges (NASDAQ) about impending data leaks to manipulate stock prices, and offered up to 90% affiliate revenue splits to attract top-tier operators.

REvil's downfall was driven by a combination of its own hubris and coordinated international response. High-profile attacks against JBS Foods, Kaseya, and Quanta Computer (Apple supplier) triggered unprecedented government attention, including direct discussions between US President Biden and Russian President Putin. In July 2021, UNKN disappeared without explanation — leading affiliates to suspect he might be dead. The FBI, in conjunction with US Cyber Command and international partners, seized control of REvil's infrastructure in October 2021. A successor administrator, 0_neday, attempted to restore operations but made critical errors, including failing to generate new private keys, which allowed law enforcement to maintain access. REvil's infrastructure went permanently dark shortly thereafter. In September 2021, researchers also discovered a backdoor built into the REvil malware itself that allowed the core developers to hijack affiliate negotiations and steal ransom payments, further destroying trust within the criminal ecosystem.

Law Enforcement Outcomes

The dismantlement of REvil involved multiple international operations spanning several years:

Operation GoldDust (2021): A 17-country operation coordinated by Europol, Eurojust, and INTERPOL arrested seven suspected REvil and GandCrab affiliates across Romania, South Korea, Kuwait, and Europe. The operation originated from the earlier GandCrab investigation. Bitdefender released free decryptors that helped over 1,400 companies recover encrypted files, saving an estimated €475 million.
Yaroslav Vasinskyi (Rabotnik): Ukrainian national arrested at the Polish border in October 2021, extradited to the US in 2022. Pleaded guilty to 11-count indictment for conducting over 2,500 ransomware attacks including the Kaseya supply chain attack. Sentenced in May 2024 to 13 years and 7 months in prison, ordered to pay $16 million in restitution.
Yevgeniy Polyanin: Russian national charged for conducting REvil attacks against Texas businesses and government entities. Authorities seized $6.1 million linked to his ransom payments. As of 2025, Polyanin remains at large and is believed by the FBI to reside in Russia, possibly in Barnaul.
FSB Raids (January 2022): Russia's Federal Security Service arrested 14 suspected REvil members across Moscow, St. Petersburg, Leningrad, and Lipetsk regions, acting on information from US authorities. Seized 426 million rubles, $600,000, €500,000, cryptocurrency wallets, computers, and 20 luxury vehicles. This was considered a rare example of US-Russia cybercrime cooperation, though it occurred just weeks before Russia's invasion of Ukraine ended further collaboration.
Russian Convictions (2024-2025): Eight suspects were prosecuted in Russian courts. In October 2024, four members (Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky, Ruslan Khansvyarov) were sentenced to 4.5 to 6 years in penal colonies. In June 2025, four additional members (Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, Dmitry Korotayev) were found guilty but released on time served after spending roughly three years in pretrial detention. Notably, Russian charges focused on financial fraud and illegal circulation of payment data rather than the computer intrusion charges sought by the US, as cooperation between Washington and Moscow collapsed following the Ukraine war.

Target Profile

REvil and its affiliates practiced "big game hunting" — selectively targeting large organizations with high annual revenues to maximize ransom payments. The group explicitly avoided targets in Commonwealth of Independent States (CIS) countries and Syria, a common practice among Russia-based cybercriminal operations to avoid domestic law enforcement scrutiny. The ransomware itself checked keyboard locale settings and whitelisted Russian and CIS-region keyboards to prevent encryption on those systems.

Targeted Sectors: Manufacturing, legal services, professional services, healthcare, technology, government, retail, financial services, food processing, energy, transportation, education, and electric utilities.
Geographic Focus: Primarily United States, but also Australia, Canada, France, United Kingdom, and organizations globally. The group specifically targeted companies with high revenue and sensitive data that would maximize pressure to pay.
Supply Chain Targeting: REvil deliberately targeted managed service providers (MSPs) and supply chain vendors to multiply its reach. Compromising a single MSP could deliver ransomware to hundreds or thousands of downstream customers simultaneously, as demonstrated in the Kaseya attack.
High-Profile Figures: The group targeted entertainment industry figures through the Grubman Shire Meiselas & Sacks law firm breach, threatening to release documents related to Lady Gaga, Madonna, and Donald Trump.

Tactics, Techniques & Procedures

REvil's TTPs evolved significantly over its operational lifetime as its affiliate base grew more sophisticated. The following reflects documented techniques across multiple campaigns as mapped by MITRE ATT&CK, Secureworks, Palo Alto Unit 42, DFIR Report, and CISA advisories.

mitre id	technique	description
T1195.002	Supply Chain Compromise: Compromise Software Supply Chain	REvil's signature capability. The Kaseya VSA attack (Jul 2021) exploited zero-day vulnerabilities to push ransomware through MSP management software to 1,500+ downstream businesses. Earlier campaigns compromised WinRAR Italia's website (Jun 2019) and multiple MSPs to deploy ransomware to their customer bases. Also targeted ConnectWise plugin for Kaseya (Feb 2019, via GandCrab affiliates).
T1190	Exploit Public-Facing Application	Heavily exploited internet-facing vulnerabilities for initial access including Oracle WebLogic (CVE-2019-2725), Pulse Connect Secure VPN (CVE-2019-11510), Citrix ADC gateway (CVE-2019-19781), Windows Remote Desktop Gateway BlueGate (CVE-2020-0609/0610), Microsoft Exchange (ProxyShell/ProxyLogon), and Kaseya VSA (CVE-2021-30116, CVE-2021-30119, CVE-2021-30120).
T1566	Phishing	Affiliates distributed REvil via malicious spam campaigns with macro-enabled Office documents, compressed JavaScript files, and malicious links. Often used initial access malware families like IcedID (Bokbot), QakBot, and Bumblebee as first-stage loaders that subsequently delivered REvil to compromised environments.
T1078	Valid Accounts	Affiliates frequently gained access through brute-forced or purchased RDP credentials. Password spraying against exposed remote access services was a common initial access technique, particularly during the COVID-19 remote work expansion.
T1068	Exploitation for Privilege Escalation	REvil exploited CVE-2018-8453 (Win32k elevation of privilege vulnerability) directly within its ransomware payload to gain SYSTEM-level privileges, a rare capability among ransomware families. The malware also exploited processor architecture features (Heaven's Gate technique) for cross-architecture code execution.
T1562.001	Impair Defenses: Disable or Modify Tools	Routinely disabled Windows Defender using PowerShell commands (Set-MpPreference -DisableRealtimeMonitoring), disabled script scanning, IO protection, controlled folder access, and network protection. In the Kaseya attack, used a DLL side-loading technique with an older legitimate Microsoft Defender executable (MsMpEng.exe) to execute the encryptor payload with elevated privileges.
T1486	Data Encrypted for Impact	Core ransomware function using a hybrid encryption scheme: Salsa20 symmetric stream cipher for file encryption with elliptic curve (Curve25519) asymmetric cryptography for key exchange. Highly configurable via a JSON configuration block embedded in the binary. Stored runtime keys in a registry key named "BlackLivesMatter." Later versions introduced Safe Mode encryption (-smode flag) to reboot systems into Safe Mode with Networking, bypassing security tools that don't start in Safe Mode.
T1490	Inhibit System Recovery	Deleted Volume Shadow Copies using vssadmin.exe to prevent file recovery. Disabled Windows recovery features. Combined with backup destruction on network-attached storage to maximize encryption impact.
T1048	Exfiltration Over Alternative Protocol	Exfiltrated stolen data prior to encryption as part of double extortion strategy. Used various methods including Cobalt Strike C2 channels, MEGAsync cloud storage, and custom tools. Sent encrypted victim machine telemetry (machine name, OS, workgroup, infection ID, drive info) to C2 servers via HTTPS POST with ECIES encryption.
T1574.002	Hijack Execution Flow: DLL Side-Loading	Used DLL side-loading extensively. In the Kaseya attack, dropped an older version of the legitimate MsMpEng.exe (Microsoft Defender) alongside a malicious mpsvc.dll (the REvil encryptor). The trusted executable loaded the malicious DLL, executing the ransomware with elevated privileges while evading detection. Also injected payload into AhnLab antivirus processes (autoup.exe) when detected on target systems.
T1489	Service Stop	Terminated blacklisted processes and services prior to encryption to eliminate resource conflicts and ensure files were not locked by running applications. Process list was configurable via the "prc" field in the ransomware configuration file.
T1021.001	Remote Services: Remote Desktop Protocol	Used RDP for lateral movement within compromised networks. Affiliates used BITSAdmin to distribute the ransomware binary from domain controllers to all domain-joined systems, then RDP'd into each system to execute the payload. DFIR Report documented a full compromise from IcedID initial access to domain-wide encryption in approximately 4.5 hours.
T1112	Modify Registry	Created registry keys to store runtime configuration data (HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter). Safe Mode encryption variant wrote RunOnce registry keys to ensure ransomware execution after reboot into Safe Mode. Modified Winlogon default password registry entries.

Known Campaigns

REvil conducted hundreds of high-profile attacks during its two-and-a-half-year operational period. The following highlights the campaigns that defined the group's trajectory and ultimately contributed to its dismantlement.

Oracle WebLogic Exploitation & Early Operations APR 2019

REvil's first confirmed deployment exploited CVE-2019-2725 in Oracle WebLogic servers, initially targeting organizations in Asia. In the earliest known sample, both REvil and GandCrab payloads were delivered together, further confirming the operational relationship between the two families. The group rapidly expanded beyond Asia to target entities globally across healthcare, legal services, technology, and government sectors.

WinRAR Italia Supply Chain Compromise JUN 2019

Compromised the WinRAR Italian distribution website (winrar.it) and replaced the legitimate WinRAR installation executable with a trojanized version containing REvil. Users who downloaded WinRAR from the site received the ransomware. On the same day, affiliates breached at least three managed service providers and deployed REvil to their customers' networks. These parallel attacks signaled the group's early focus on supply chain compromise as a force multiplier.

22 Texas Municipalities AUG 2019

Coordinated REvil deployment across 22 local government agencies in Texas through a compromised MSP. The attack demonstrated the devastating potential of targeting a single MSP to simultaneously compromise multiple downstream government organizations.

Travelex / Foreign Exchange Attack DEC 2019 – JAN 2020

Attacked Travelex, one of the world's largest foreign currency exchange companies, on New Year's Eve 2019. The attack crippled Travelex's operations for weeks and disrupted currency exchange services at banks and airports worldwide. Travelex reportedly paid $2.3 million in Bitcoin ransom. The incident forced the company into administration within months.

Grubman Shire Meiselas & Sacks MAY 2020

Breached the high-profile entertainment law firm Grubman Shire Meiselas & Sacks and exfiltrated nearly one terabyte of confidential data including contracts and personal information for celebrity clients. REvil published legal documents related to Lady Gaga and released emails referencing Donald Trump, demanding $42 million in ransom. The attack marked a new escalation in ransomware targeting and media manipulation tactics.

Acer — $50 Million Demand MAR 2021

Exploited Microsoft Exchange Server vulnerabilities to attack Acer, the multinational electronics manufacturer. Demanded $50 million — the largest known ransomware demand at the time — increasing to $100 million if not paid by the deadline. Published financial spreadsheets and other sensitive corporate data on Happy Blog as proof of compromise.

Quanta Computer (Apple Supply Chain) APR 2021

Targeted Quanta Computer, a major Apple supplier, and exfiltrated confidential schematics for upcoming Apple products including unreleased MacBook designs and Apple Watch plans. Timed the data leak to coincide with Apple's Spring Loaded product event for maximum pressure. Demanded $50 million from Quanta and attempted to redirect extortion to Apple directly.

JBS Foods — $11 Million Ransom Paid MAY 2021

Attacked JBS S.A., the world's largest meat processing company, forcing the temporary shutdown of all US beef plants and disrupting poultry and pork operations across the United States, Canada, and Australia. The attack threatened national food supply chains and drew direct White House involvement. JBS ultimately paid $11 million in Bitcoin (originally demanded $22.5 million). The FBI formally attributed the attack to REvil.

Kaseya VSA Supply Chain Attack — $70 Million Demand JUL 2021

REvil's most devastating and final major campaign. Exploited zero-day vulnerabilities (CVE-2021-30116, CVE-2021-30119, CVE-2021-30120) in Kaseya's VSA remote monitoring and management software to push ransomware through MSPs to an estimated 1,500 downstream businesses across 17+ countries. Affected organizations ranged from Swedish supermarket chains to New Zealand kindergartens to Romanian government offices. REvil claimed to have infected over one million systems and demanded a $70 million universal decryptor payment. The attack triggered direct ransomware discussions between President Biden and President Putin and is considered the largest coordinated ransomware attack since WannaCry. Kaseya later obtained a universal decryptor key (reportedly through FBI assistance) and distributed it to victims. The attack was a watershed moment that fundamentally elevated ransomware from a cybersecurity problem to a national security priority.

Tools & Malware

REvil/Sodinokibi Ransomware (MITRE S0496): Highly configurable RaaS payload with Salsa20/Curve25519 hybrid encryption, embedded JSON configuration, CIS/Syria keyboard locale whitelisting, Safe Mode encryption capability (-smode flag), and network share enumeration (-nolan flag to disable). Five major code revisions with frequent minor updates during active period. Supported Windows and later Linux/VMware ESXi environments. Contained built-in privilege escalation via CVE-2018-8453 exploitation.
GandCrab (predecessor): RaaS predecessor operated by GOLD GARDEN (2018-2019). Claimed $2 billion in earnings before "retirement." Shared string decoding functions, URL structures, C2 patterns, and affiliate crossover with REvil. Many GandCrab affiliates migrated directly to REvil.
Happy Blog: Tor-based data leak site launched February 2020 for publishing stolen victim data as part of double extortion. Used for victim shaming, deadline pressure, and media manipulation. Included staged data releases and auction functionality for stolen data.
Cobalt Strike: Used extensively by affiliates for post-exploitation, lateral movement, and C2 communications. Beacons deployed within compromised networks for persistent access and data exfiltration prior to ransomware deployment.
IcedID / QakBot / Bumblebee: Initial access malware families used by REvil affiliates as first-stage loaders. IcedID trojan (first observed 2017) was a common delivery vehicle, typically distributed through malicious spam with macro-enabled documents or executables disguised as image files.
KPOT Stealer: Credential-stealing malware whose source code UNKN acquired in an auction. Used to harvest credentials from compromised environments to facilitate lateral movement and data exfiltration.
BITSAdmin: Legitimate Windows utility abused to distribute ransomware binaries from domain controllers to all domain-joined systems during deployment phase. Used Background Intelligent Transfer Service for file transfers.
certutil.exe: Windows certificate utility abused to decode base64-encoded payloads. In the Kaseya attack, certutil decoded an agent.crt file containing the ransomware payload dropped by the compromised VSA update mechanism.

Indicators of Compromise

REvil's infrastructure is defunct and these IOCs are provided for historical reference and retrospective threat hunting. Because REvil operated as a RaaS with diverse affiliates, IOCs varied significantly across campaigns.

behavioral indicators

registry HKLM\SOFTWARE\WOW6432Node\BlackLivesMatter — Runtime encryption keys and configuration storage

registry HKLM\...\Winlogon\DefaultPassword = "DTrump4ever" — Safe Mode auto-login credential (Kaseya variant)

technique vssadmin.exe delete shadows /all /quiet — Shadow copy deletion prior to encryption

technique PowerShell Set-MpPreference -DisableRealtimeMonitoring $true — Defender disablement

technique DLL side-loading via legitimate MsMpEng.exe loading malicious mpsvc.dll (Kaseya variant)

technique Safe Mode reboot with RunOnce registry persistence (-smode flag), requires login after reboot to trigger encryption

technique Keyboard locale check for CIS countries (GetKeyboardLayoutList) — whitelists Russian and allied keyboards to prevent local encryption

file indicators (kaseya variant)

sha256 d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

sha256 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

sha256 e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

certificate Signed with "PB03 TRANSPORT LTD" code signing certificate

mutex "BlackLivesMatter" — Mutex used across REvil variants since January 2019

exploited vulnerabilities

cve CVE-2019-2725 — Oracle WebLogic Server RCE (CVSS 9.8) — REvil's first known exploitation vector

cve CVE-2018-8453 — Windows Win32k privilege escalation — embedded directly in ransomware payload

cve CVE-2019-11510 — Pulse Connect Secure VPN arbitrary file read — used for initial access during COVID-era remote work expansion

cve CVE-2019-19781 — Citrix ADC/Gateway directory traversal — exploited for enterprise network access

cve CVE-2020-0609 / CVE-2020-0610 — Windows Remote Desktop Gateway (BlueGate) RCE

cve CVE-2021-30116 — Kaseya VSA credential leak and business logic flaw (zero-day, CVSS 9.8)

cve CVE-2021-30119 — Kaseya VSA cross-site scripting

cve CVE-2021-30120 — Kaseya VSA two-factor authentication bypass

Mitigation & Defense

While REvil is defunct, the tactics it pioneered continue to be employed by successor groups including BlackCat/ALPHV, BlackMatter, and other RaaS operations. The following defensive measures address the techniques REvil used and remain critical against the current ransomware landscape.

Implement robust backup strategy (3-2-1): Maintain at least three copies of critical data on two different media types with one copy stored offline and air-gapped. Regularly verify backup integrity and test restoration procedures. REvil specifically targeted and destroyed backups during its operations, making offline copies essential for recovery without paying ransom.
Patch internet-facing systems aggressively: REvil's affiliate model meant its operators were constantly scanning for unpatched VPNs, remote access gateways, and web applications. Prioritize patching for edge devices including Pulse Secure, Citrix, Microsoft Exchange, and remote management platforms. Implement a vulnerability management program with SLAs for critical and high-severity internet-facing vulnerabilities.
Secure Remote Desktop Protocol: Disable RDP if not operationally required. If required, restrict access to VPN-only connections, enforce network-level authentication, implement account lockout policies, and monitor for brute-force attempts. RDP credential brute-forcing was one of REvil's most common initial access vectors.
Deploy Endpoint Detection and Response (EDR): REvil's Safe Mode encryption technique was specifically designed to bypass security tools that don't operate in Safe Mode. Ensure EDR solutions protect systems even during Safe Mode boot. Monitor for unexpected system reboots, RunOnce registry modifications, and BITSAdmin file transfers.
Monitor for defense evasion: Detect PowerShell commands that disable Windows Defender (Set-MpPreference), DLL side-loading attempts using legitimate executables, and abuse of certutil.exe for payload decoding. Alert on vssadmin.exe shadow copy deletion and unexpected service terminations.
Harden MSP and supply chain relationships: The Kaseya attack demonstrated that a single MSP compromise can cascade to thousands of downstream victims. Audit MSP access controls, limit remote management tool privileges to the minimum necessary, implement network segmentation between MSP management planes and production environments, and require MFA for all remote administration.
Implement network segmentation and zero trust: REvil affiliates relied on lateral movement from initial access points to domain controllers for enterprise-wide encryption. Segment networks to contain breaches, restrict lateral movement, implement least-privilege access, and monitor for unusual authentication patterns.
Maintain incident response readiness: The DFIR Report documented a complete REvil compromise from initial IcedID infection to domain-wide encryption in 4.5 hours. Organizations need incident response plans that can detect, contain, and respond within that timeframe. Conduct tabletop exercises specifically simulating ransomware scenarios.

Legacy & Successor Groups

REvil's influence on the ransomware ecosystem extends far beyond its operational period. The group's code, tactics, and even personnel continued to shape the threat landscape after its dismantlement:

DarkSide: Used code that closely resembled REvil's, including identical CIS whitelisting logic and similarly structured ransom notes. Responsible for the Colonial Pipeline attack (May 2021). Rebranded as BlackMatter after attracting excessive law enforcement attention.
BlackMatter: Emerged as a rebrand of DarkSide, incorporating lessons from both DarkSide and REvil's operational failures. Operated briefly before also being shut down.
BlackCat/ALPHV: Widely assessed to include former REvil and BlackMatter affiliates. The 2022 REvil "revival" (new samples appeared with a Happy Blog resurrection and new infrastructure) bore similarities to BlackCat's ransom notes, suggesting personnel overlap. ALPHV became one of the dominant ransomware operations of 2023-2024 before its own disruption.
RaaS Model Proliferation: REvil's success with the affiliate model, double extortion, dedicated leak sites, victim negotiation portals, and media manipulation directly influenced the operational model adopted by virtually every subsequent major ransomware group.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile