top of page
  • FYEO

Ransomware Group Deep Dive: REvil


The notorious REvil ransomware group once struck terror into the hearts of businesses of all sizes and industries. According to IBM, REvil was responsible for 1 in 3 ransomware attacks during 2020.


Although multiple arrests have been made and the group has officially been broken up, REvil attacks on companies have continued. So what can organizations do to protect themselves against REvil ransomware?


This article will discuss everything you need to know about the REvil ransomware gang. This includes what the REvil ransomware group is, who they’ve attacked, how REvil ransomware works, and more.


What Is the REvil Ransomware Group?

REvil (short for “Ransomware Evil,” also known as “Sodinokibi”) is a ransomware group that first surfaced in April 2019. Since its inception, the REvil ransomware group has quickly become one of the most dangerous and infamous ransomware gangs.


The gang is believed to be linked to a defunct ransomware operation called GandCrab. Security analysts have detected multiple similarities between the REvil and Gandcrab ransomware variants. REvil also has suspected affiliations with the DarkSide ransomware group.


Below are just a few of the high-profile targets of REvil ransomware:

  • January 2020: The foreign exchange company Travelex announced that it had been hit by a REvil ransomware attack, temporarily shutting down its operations. Travelex ultimately paid a $2.3 million ransom to restore access.

  • April 2021: REvil hacked the Apple supplier Quanta Computer, demanding a $50 million ransom. The gang also stole several blueprints of future Apple products, attempting to extort Apple to prevent them from leaking.

  • July 2021: REvil hackers took advantage of a vulnerability in the Kaseya VSA software for remote network management, allowing them to spread ransomware to hundreds of businesses. Affected companies reportedly included the Norwegian financial software developer Visma.

In January 2022, Russian authorities reported that they had arrested several members of REvil, dismantling the group’s operations and seizing more than $7 million in cash and cryptocurrency. The Ukrainian national Yaroslav Vasinskyi was later extradited to the United States for his role in the Kaseya ransomware attack.


However, the REvil ransomware group may not be finished. In April, the Indian petroleum and natural gas company Oil India reported that it had been the victim of a REvil ransomware attack. Security analysts have revealed that the new strain of REvil ransomware has links to the original source code, suggesting that one of the group’s developers is likely involved in its resurgence.


How Does REvil Ransomware Work?

The first observed variants of REvil ransomware used a vulnerability in the Oracle WebLogic Server to propagate themselves. However, like many other ransomware gangs, REvil uses a “ransomware as a service” (RaaS) business model. This means that third-party cybercriminal groups can also launch attacks using REvil, simply by paying fees to the original developers.


As such, REvil ransomware may be spread using a variety of attack vectors, depending on the hackers’ preferences. These methods include phishing emails, software vulnerabilities, and compromised sessions of Remote Desktop Protocol (RDP).


Upon infiltrating the network, REvil moves to cloak its activities while surveilling its surroundings. The ransomware seeks to make it impossible for users to recover their data without paying the ransom. First, it kills processes that might store important files in memory, such as database servers, Microsoft Office, browsers, and email clients. REvil also deletes Windows shadow copies and other backups.


Unlike many other ransomware strains, REvil uses encryption algorithms such as Salsa20 and elliptic-curve Diffie-Hellman. Not only are these algorithms highly efficient, but they are also extremely difficult to impossible to crack.


Once the data is encrypted, REvil hackers use a “double extortion” method. Victims are incentivized to pay the ransom to regain access to their data and prevent it from being leaked on the Dark Web. Security analysts have even reported that REvil sometimes extorts its victims multiple times, contacting them again weeks later for an additional ransom.


How to Protect Yourself From REvil Ransomware

Although the REvil ransomware group has officially disbanded, there are worrying signs that the gang is making a recovery. Technology companies such as Bitdefender have released decryption keys for REvil ransomware attacks before July 2021. However, the most recent REvil attacks seem to use a different ransomware strain, making it doubtful that these tools will work for future incidents.


Regardless, the best way to protect against REvil ransomware is to prevent it from entering the network in the first place. Businesses should follow the simple yet effective best practices below:

  • Teaching users to identify and flag suspected phishing emails.

  • Monitoring critical network endpoints for suspicious behavior.

  • Keeping up-to-date with antivirus and antimalware tools.

  • Applying software updates regularly and patching security flaws.

  • Creating data backups and storing them in a separate environment.


What You Need to Know about the REvil Ransomware Group

Here’s what you need to know about the REvil ransomware group:

  • The REvil ransomware gang first appeared in 2019 and rose to prominence in 2020, with several group members arrested in early 2022.

  • REvil is responsible for high-profile attacks on targets such as Kaseya VSA, Travelex, and Quanta Computer.

  • Although the group is ostensibly disbanded, companies continue to report REvil ransomware incidents, highlighting the importance of keeping vigilant.

REvil and other ransomware gangs maintain a presence on the Dark Web, listing their recent attacks and threatening to publish victims’ sensitive data if they refuse to pay. That’s exactly why it’s so crucial for businesses to perform Dark Web threat monitoring, keeping tabs on the activities of ransomware groups.


FYEO’s threat intelligence software handles all these concerns for you out of the box. Our database of more than 23 billion leaked credentials, one of the largest in the world, helps alert users when their confidential information is leaked on the Dark Web. Want to find out more? Get in touch with us today to request a demo of FYEO Domain Intelligence.

bottom of page