REvil

Malware updated 9 days ago (2024-10-15T10:02:44.132Z)
Download STIX
Preview STIX
REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attacks, such as Dridex malware to BitPaymer ransomware or Gootkit malware to REvil ransomware. The authors of REvil's ransomware were known for their unique approach of implementing a countdown with their ransom demand. Despite announcing the cessation of its RaaS operation, GOLD SOUTHFIELD (REvil) did not explicitly state that it would stop deploying ransomware. The group behind REvil has been linked to several significant cybercrime activities. Security researchers have found evidence of its involvement in deploying both REvil and DarkSide ransomware. In a major development, the US Justice Department led a successful disruption campaign against the REvil group, resulting in a 13-year prison sentence for a key member in May 2024. The individual had been arrested back in October 2021 and was also ordered to pay $16 million. International efforts have been made to combat the threats posed by REvil. Earlier this year, the United States, Australia, and the United Kingdom sanctioned Aleksandr Gennadievich Ermakov, a Russian man believed to be linked with the now-defunct Russian cyber extortionist gang REvil. In one notable case, REvil demanded a staggering $21 million from New York's Grubman Shire Meiselas & Sacks in 2020. Despite these actions, REvil remains a significant threat in the realm of cybercrime, underscoring the ongoing need for robust cybersecurity measures.
Description last updated: 2024-10-15T09:26:09.506Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sodinokibi is a possible alias for REvil. Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
10
Gandcrab is a possible alias for REvil. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
7
Maze is a possible alias for REvil. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release
3
QakBot is a possible alias for REvil. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin
3
GOLD SOUTHFIELD is a possible alias for REvil. Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav
3
Akira is a possible alias for REvil. Akira is a prominent form of malware, specifically a ransomware that has been causing significant disruptions since its emergence. It has been reported that Akira ransomware affiliates have compromised SSLVPN accounts on SonicWall devices as an initial access vector for their attacks. This comes aft
2
Qbot is a possible alias for REvil. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi
2
Sodin is a possible alias for REvil. Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Malware
RaaS
Encrypt
Vulnerability
Cybercrime
Linux
Locker
Windows
Exploit
Esxi
Botnet
Cobalt Strike
Clop
Extortion
Ddos
russian
Encryption
Trojan
exploitation
Bitcoin
Russia
Apt
Zero Day
Loader
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with REvil. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
9
The Lockbit Malware is associated with REvil. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage forUnspecified
9
The Black Basta Malware is associated with REvil. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
6
The Babuk Malware is associated with REvil. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
6
The Hive Malware is associated with REvil. Hive is a form of malware, specifically ransomware, that infiltrates computer systems to exploit and damage them. It gained notoriety when it was used by the cybercriminal group Volt Typhoon to exfiltrate NTDS.dit and SYSTEM registry hive data, allowing them to crack passwords offline. This malware Unspecified
5
The Avaddon Malware is associated with REvil. Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems likeUnspecified
4
The malware Conti, Lockbit is associated with REvil. Unspecified
4
The MegaCortex Malware is associated with REvil. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
4
The HELLOKITTY Malware is associated with REvil. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold datUnspecified
3
The Ryuk Malware is associated with REvil. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
The Gootloader Malware is associated with REvil. Gootloader is a malicious software (malware) that continues to pose a significant threat, as it remains active and efficient in its operations. This malware infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Gootloader can steal personal inUnspecified
2
The Netwalker Malware is associated with REvil. NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NeUnspecified
2
The Egregor Malware is associated with REvil. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
2
The Emotet Malware is associated with REvil. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The Formbook Malware is associated with REvil. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
2
The WannaCry Malware is associated with REvil. WannaCry is a type of malware, specifically ransomware, that had one of the most significant impacts in recent cyber history. It first appeared in May 2017 and was known as the largest ransomware attack at the time. The malicious software exploited vulnerabilities in Windows systems (CVE-2017-0144, Unspecified
2
The Abyss Locker Malware is associated with REvil. Abyss Locker is a formidable strain of malware, specifically ransomware, that has been observed targeting both Microsoft Windows and Linux platforms. This malicious software operates by infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insideUnspecified
2
The Pysa Malware is associated with REvil. Pysa is a type of ransomware, a malicious software designed to exploit and damage computer systems by encrypting data and demanding ransom for its decryption. The Pysa ransomware group, known for its organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR,Unspecified
2
The Lv Ransomware Malware is associated with REvil. LV Ransomware is a type of malicious software designed to exploit and damage computer systems, often infiltrating systems through suspicious downloads, emails, or websites. This ransomware variant, also known as ".0nzo8yk Virus," was first identified in the wild in June 2020 and is a modified versioUnspecified
2
The Blackbasta Malware is associated with REvil. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
2
The Trigona Malware is associated with REvil. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt opeUnspecified
2
The AvosLocker Malware is associated with REvil. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal infoUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The DarkSide Threat Actor is associated with REvil. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossis related to
9
The Blackmatter Threat Actor is associated with REvil. BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention Unspecified
7
The Alphv Threat Actor is associated with REvil. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its lais related to
7
The KillNet Threat Actor is associated with REvil. Killnet, a threat actor group with strong affiliations to Russia, has been implicated in a series of high-profile cyberattacks. The group's activities have been linked to Russia's geopolitical objectives and have been particularly active following Russia's ban from the 2022 FIFA World Cup due to itsUnspecified
3
The Vice Society Threat Actor is associated with REvil. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
3
The FIN7 Threat Actor is associated with REvil. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
3
The Bassterlord Threat Actor is associated with REvil. Bassterlord, a known threat actor and affiliate of the LockBit group, has been associated with multiple malicious cyber activities since August 2021. Operating under the alias "Bassterlord," Ivan Kondratyev allegedly deployed LockBit ransomware against private and municipal entities in New York, OreUnspecified
2
The Sangria Tempest Threat Actor is associated with REvil. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restauraUnspecified
2
Source Document References
Information about the REvil Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
20 days ago
BankInfoSecurity
21 days ago
Securelist
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
CERT-EU
8 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
5 months ago