REvil Ransomware

REvil was a Ransomware-as-a-service (RaaS) ransomware attack that affected a number of larger corporations and famous individuals. Read this article to learn more about REvil ransomware, who was behind it, and how you can prevent and mitigate similar cyber attacks.  

What Is REvil Ransomware?

REvil was a Russia-based RaaS operation that likely formed in 2019 and operated through affiliates to distribute malware. After infecting a system, the ransomware encrypted files, and attackers threatened to publish stolen data on their page called Happy Blog unless they received a ransom payment.

REvil ransomware resembles the code and ransom note used by DarkSide, a hacking group based in Eastern Europe. It was also formulated after the shutdown of another RaaS model, GandCrab, and researchers have been able to establish some links between the two. 

The ransomware’s name, REvil, is a combination of ‘ransomware’ and ‘evil’; the ransomware is also known as Sodinokibi. REvil was first formulated in 2019 and was dissolved by international forces in 2021 and by Russian officials in January 2022. Some security experts believe that an April 2022 leak site is connected to a new instance of REvil, but nothing has been confirmed. 

What Group of Attackers Was Behind REvil Ransomware Attacks?

Researchers and security firms believe that Gold Southfield, a group of cybercriminals motivated by financial gains, was behind the REvil ransomware. REvil first started to appear in April 2019 when Gold Southfield received the GandCrab source code from Gold Garden, another hacking group behind the GandCrab ransomware.

What Was the Impact of REvil Ransomware?

REvil ransomware targeted companies and individuals alike, stealing their private information and threatening to publicly post it on the attacker’s site. Former U.S. President Donald Trump, Lady Gaga, and Madonna are some of the most notable individual victims of REvil ransomware. 

Affected companies include:

  • Harris Federation
  • Acer, which paid a $50 million ransom
  • Quanta Computer, which paid a $50 million ransom
  • Invenergy
  • JBS, which paid an $11 million ransom
  • Kaseya, which paid a $70 million ransom
  • HX5

How Does REvil Ransomware Work?

REvil ransomware spread mostly through server exploits and phishing. As an example, REvil ransomware attackers used the Kaseya VSA server platform (see Kaseya ransomware attack) to drop its ransomware to hundreds of the company’s managed service providers (MSPs). 

After getting into a targeted system, REvil was able to download a .zip file containing ransom code, encrypt files, and append them with a random extension. Although the compromised system remained operational, all vital information stored on the system was no longer available. 

After encryption, the newly installed malware communicates with victims through a C2 server, which is used by attackers to communicate with compromised systems and provides a key.

What Specific Steps Should Users Take to Prevent REvil-like Attacks?

Here are some security measures that users can follow to prevent ransomware attacks like REvil:

Many specialized security tools can be used to detect, stop, and mitigate ransomware attacks. Learn about some of the Best Ransomware Protection here.

Siji Roy
Siji Roy
Siji Roy specializes in technology, finance, and content marketing. She helps organizations to communicate with their target audience. She received her Master’s degree in Communication and Journalism from the University of Calicut, India. She is fortunate to be married to a lovely person and blessed with three naughty boys.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles


WannaCry was one of the most damaging malware attacks in history. On Friday, May 12, 2017, WannaCry ransomware infected computers all around the world,...

Ryuk Ransomware

The Ryuk ransomware is a strain of malware that attempts to infect and encrypt victims’ files, rendering them inaccessible to the original user. Ryuk ransomware...

AdamLocker Ransomware

AdamLocker ransomware, or RW.adm_64, is a screen-locking virus designed to prevent access to a computer system and rename the files in the infected system...

Conti Ransomware

Conti ransomware first emerged in 2020. It uses a ransomware as a service (RaaS) model in which a malicious group sells or leases their...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...