Home / Definitions / REvil Ransomware

REvil Ransomware

Siji Roy
Last Updated June 23, 2022 2:35 am

REvil was a Ransomware-as-a-service (RaaS) ransomware attack that affected a number of larger corporations and famous individuals. Read this article to learn more about REvil ransomware, who was behind it, and how you can prevent and mitigate similar cyber attacks.  

What Is REvil Ransomware?

REvil was a Russia-based RaaS operation that likely formed in 2019 and operated through affiliates to distribute malware. After infecting a system, the ransomware encrypted files, and attackers threatened to publish stolen data on their page called Happy Blog unless they received a ransom payment.

REvil ransomware resembles the code and ransom note used by DarkSide, a hacking group based in Eastern Europe. It was also formulated after the shutdown of another RaaS model, GandCrab, and researchers have been able to establish some links between the two. 

The ransomware’s name, REvil, is a combination of ‘ransomware’ and ‘evil’; the ransomware is also known as Sodinokibi. REvil was first formulated in 2019 and was dissolved by international forces in 2021 and by Russian officials in January 2022. Some security experts believe that an April 2022 leak site is connected to a new instance of REvil, but nothing has been confirmed. 

What Group of Attackers Was Behind REvil Ransomware Attacks?

Researchers and security firms believe that Gold Southfield, a group of cybercriminals motivated by financial gains, was behind the REvil ransomware. REvil first started to appear in April 2019 when Gold Southfield received the GandCrab source code from Gold Garden, another hacking group behind the GandCrab ransomware.

What Was the Impact of REvil Ransomware?

REvil ransomware targeted companies and individuals alike, stealing their private information and threatening to publicly post it on the attacker’s site. Former U.S. President Donald Trump, Lady Gaga, and Madonna are some of the most notable individual victims of REvil ransomware. 

Affected companies include:

  • Harris Federation
  • Acer, which paid a $50 million ransom
  • Quanta Computer, which paid a $50 million ransom
  • Invenergy
  • JBS, which paid an $11 million ransom
  • Kaseya, which paid a $70 million ransom
  • HX5

How Does REvil Ransomware Work?

REvil ransomware spread mostly through server exploits and phishing. As an example, REvil ransomware attackers used the Kaseya VSA server platform (see Kaseya ransomware attack) to drop its ransomware to hundreds of the company’s managed service providers (MSPs). 

After getting into a targeted system, REvil was able to download a .zip file containing ransom code, encrypt files, and append them with a random extension. Although the compromised system remained operational, all vital information stored on the system was no longer available. 

After encryption, the newly installed malware communicates with victims through a C2 server, which is used by attackers to communicate with compromised systems and provides a key.

What Specific Steps Should Users Take to Prevent REvil-like Attacks?

Here are some security measures that users can follow to prevent ransomware attacks like REvil:

Many specialized security tools can be used to detect, stop, and mitigate ransomware attacks. Learn about some of the Best Ransomware Protection here.