Cyber Threat Actor: REvil
| Actor Type | Location | Known Incidents |
Criminal
|
Argentina
|
2 incidents |
|---|
Profile
REvil, also known as Sodinokibi and Pinchy Spider, is a ransomware threat actor that has been observed operating from Argentina according to publicly available sources. The group is recognized for deploying ransomware that encrypts victim data and demands payment, typically in cryptocurrency, for the decryption key. Its activity has been linked to multiple high‑profile incidents affecting organizations in Latin America and beyond. The actor’s name appears in various cybersecurity reports and threat intelligence feeds as a prominent ransomware-as-a-service operation.
The actor’s targeting, as evidenced by the reported incidents, includes the healthcare sector and the energy sector. In August 2023, the Argentine health insurer PAMI experienced a ransomware attack that disrupted prescription issuance while other services continued. In June 2020, a Brazilian electrical energy company was compromised by the same ransomware strain, which demanded a $14 million payment in Monero. These cases show a focus on entities where service interruption can exert pressure on victims to meet ransom demands, indicating a financially motivated objective rather than espionage or pure disruption. The attacks resulted in operational disruption as a side effect of the ransomware encryption process.
Technical details from the Brazilian incident reveal that the threat actor exploited the known Windows vulnerability CVE‑2018‑8453 to gain initial access. The ransomware payload was delivered as a packed malware binary, a technique used to hinder analysis and detection. The group employed geographic whitelisting within the ransomware code to avoid infecting systems in certain locations. Decryption of the encrypted files depended exclusively on the threat actor’s private key, and victims were provided with a support chat function to negotiate payment and receive instructions. No other initial access vectors or tooling specifics are described in the PAMI case are specified in the available sources.
Public attribution of REvil to a state sponsor or a specific criminal consortium has not been established in the referenced material; the actor is treated as a financially driven criminal group. The two highlighted operations—the PAMI ransomware event and the Brazilian energy company compromise—represent notable campaigns that illustrate the actor’s ransomware delivery, extortion tactics, and impact on critical services. These examples demonstrate the group’s reliance on known vulnerabilities, customized malware, and cryptocurrency‑based extortion to achieve its financial goals.
