Cyber Threat Actor: REvil
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
73 incidents |
|---|
Profile
REvil, also known as Sodinokibi, is a ransomware‑as‑a‑service operation that has been observed operating from Russia. The group uses the aliases REvil and Sodinokibi in its communications and leak sites, and it has been linked to a series of high‑profile extortion incidents across multiple industries and geographic regions. Its victims have included healthcare providers such as Grupo Fleury in Brazil and Fujifilm in Japan, telecommunications firms like MasMovil in Spain and UK VoIP operators, manufacturers including Acer in Taiwan and Asteelflash in France, retail chains such as Dairy Farm in Asia, marketing agencies in Hong Kong, legal and financial entities, and government services in Fiji. The primary objective observed in these incidents is financial gain through ransom demands, often accompanied by threats to leak or auction stolen data if payment is not made.
The group’s typical tactics involve gaining initial access via phishing emails with malicious attachments, exploiting vulnerabilities in managed service provider platforms such as Kaseya VSA, or leveraging compromised third‑party services to deploy ransomware. Once inside a network, REvil actors frequently exfiltrate sensitive data before encrypting files, a double‑extortion approach that is advertised on their Tor‑based leak site. The ransomware payload is delivered through signed executables that extract components like MsMpEng.exe and mpsvc.dll, employs PowerShell scripts to disable security defenses, and modifies registry keys to maintain persistence. Ransom payments are demanded in Bitcoin, with amounts ranging from hundreds of thousands to tens of millions of dollars, and the group has experimented with auction platforms for stolen data, as seen in the Agromart case. Distributed denial‑of‑service attacks coupled with ransom notes have also been used against VoIP providers in the United Kingdom.
Notable campaigns attributed to REvil include the July 2021 supply‑chain attack on Kaseya’s VSA platform that affected over 1,000 businesses worldwide, the ransomware incident against meat processor JBS that yielded a multi‑million dollar payment, and the claimed breach of electronics manufacturer Quanta, a supplier to Apple. The group has also asserted responsibility for intrusions into Midea Group, the Agromart agricultural supplier, the Spanish telecom MasMovil, the Brazilian court system in Rio Grande do Sul, and the UK hospital group Transform Hospital. Additional publicly reported operations involve the encryption of devices at Pierre Fabre, Asteelflash, Dairy Farm, Pan‑American Life Insurance, and the Fiji government’s online services, as well as data theft incidents at Arnoff Moving & Storage and Betenbough Homes.
Attribution assessments place the group’s operational base in Russia, a conclusion supported by law‑enforcement actions such as the FSB’s detention of fourteen individuals and seizure of assets linked to REvil. The organization functions as a ransomware‑as‑a‑service platform where affiliates or customers of the core developers conduct the intrusions, though no public evidence confirms direct state sponsorship. The combination of financially motivated extortion, data‑leak threats, and varied intrusion vectors defines REvil’s observed activity across the threat landscape.
