REvil

Malware updated 13 days ago (2024-11-08T13:22:44.037Z)

Download STIX

Preview STIX

REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. The authors of REvil's ransomware were known for their countdown approach to ransom demands. Despite announcing the cessation of its RaaS operations, GOLD SOUTHFIELD (REvil) did not express any intention to stop deploying ransomware. The Russian government took action against REvil in January 2022 under pressure from the United States due to the group's high-profile cyberattacks. Following this, eight individuals associated with REvil were detained. A Russian court later sentenced four members of the REvil ransomware group to prison in early 2022, marking a significant crackdown on the group's activities. These convictions were considered rare in the realm of Russian cybercrime. One prominent member of the REvil gang, Vasinskyi, had been an affiliate since March 1, 2019. He was charged by the US Department of Justice in November 2021 for orchestrating ransomware attacks on the Kaseya MSP platform that occurred on July 4, 2021. Vasinskyi was subsequently sentenced for his role in executing more than 2,500 ransomware attacks and demanding over $700 million in ransom payments.

Description last updated: 2024-11-06T00:03:47.564Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sodinokibi is a possible alias for REvil. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted	10
Gandcrab is a possible alias for REvil. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv	7
QakBot is a possible alias for REvil. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	3
GOLD SOUTHFIELD is a possible alias for REvil. Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav	3
Maze is a possible alias for REvil. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release	3
Akira is a possible alias for REvil. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	2
Qbot is a possible alias for REvil. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi	2
Sodin is a possible alias for REvil. Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

RaaS

Encrypt

Cybercrime

Vulnerability

Linux

Locker

Windows

Exploit

Esxi

Ddos

Cobalt Strike

Botnet

Extortion

Russia

russian

Encryption

Trojan

exploitation

Bitcoin

Apt

Zero Day

Loader

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with REvil. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	9
The Lockbit Malware is associated with REvil. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	9
The Babuk Malware is associated with REvil. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio	Unspecified	6
The Black Basta Malware is associated with REvil. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	6
The Hive Malware is associated with REvil. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	5
The MegaCortex Malware is associated with REvil. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria	Unspecified	4
The Avaddon Malware is associated with REvil. Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like	Unspecified	4
The malware Conti, Lockbit is associated with REvil.	Unspecified	4
The Clop Malware is associated with REvil. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	3
The HELLOKITTY Malware is associated with REvil. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat	Unspecified	3
The Ryuk Malware is associated with REvil. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	3
The Gootloader Malware is associated with REvil. Gootloader is a potent malware, often used as an infostealer or deployed prior to ransomware attacks. It's known for its unique approach of Search Engine Optimization (SEO) poisoning, where victims are deceived into clicking on malicious links disguised as legitimate resources. A significant campaig	Unspecified	2
The Netwalker Malware is associated with REvil. NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne	Unspecified	2
The Egregor Malware is associated with REvil. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also pu	Unspecified	2
The Emotet Malware is associated with REvil. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,	Unspecified	2
The Formbook Malware is associated with REvil. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms o	Unspecified	2
The WannaCry Malware is associated with REvil. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	Unspecified	2
The Abyss Locker Malware is associated with REvil. Abyss Locker is a formidable strain of malware, specifically ransomware, that has been observed targeting both Microsoft Windows and Linux platforms. This malicious software operates by infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside	Unspecified	2
The Pysa Malware is associated with REvil. Pysa is a type of ransomware, a malicious software designed to exploit and damage computer systems by encrypting data and demanding ransom for its decryption. The Pysa ransomware group, known for its organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR,	Unspecified	2
The Lv Ransomware Malware is associated with REvil. LV Ransomware is a type of malicious software designed to exploit and damage computer systems, often infiltrating systems through suspicious downloads, emails, or websites. This ransomware variant, also known as ".0nzo8yk Virus," was first identified in the wild in June 2020 and is a modified versio	Unspecified	2
The Blackbasta Malware is associated with REvil. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	Unspecified	2
The Trigona Malware is associated with REvil. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope	Unspecified	2
The AvosLocker Malware is associated with REvil. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The DarkSide Threat Actor is associated with REvil. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	is related to	9
The Blackmatter Threat Actor is associated with REvil. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve	Unspecified	7
The Alphv Threat Actor is associated with REvil. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	is related to	7
The KillNet Threat Actor is associated with REvil. Killnet is a threat actor or group with potential ties to the Russian government, known for its disruptive cyber-attacks. This group has been linked to several politically motivated attacks, including a significant assault on the Israeli government's website leading to its paralysis. Killnet has als	Unspecified	3
The FIN7 Threat Actor is associated with REvil. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	3
The Vice Society Threat Actor is associated with REvil. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	Unspecified	3
The Bassterlord Threat Actor is associated with REvil. Bassterlord, a known threat actor and affiliate of the LockBit group, has been associated with multiple malicious cyber activities since August 2021. Operating under the alias "Bassterlord," Ivan Kondratyev allegedly deployed LockBit ransomware against private and municipal entities in New York, Ore	Unspecified	2
The Sangria Tempest Threat Actor is associated with REvil. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaura	Unspecified	2

Source Document References

Information about the REvil Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	20 days ago	Breach Roundup: S&P Says Poor Remediation A Material Risk
Securityaffairs	23 days ago	Security Affairs newsletter Round 495 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	23 days ago	Four REvil Ransomware members sentenced for hacking and money laundering
BankInfoSecurity	2 months ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
BankInfoSecurity	2 months ago	US DOJ Unveils New Strategic Approach to Counter Cybercrime
Securelist	3 months ago	Statistics on PC malware for Q2 2024
BankInfoSecurity	3 months ago	Medibank to Spend AU$126M on Post-Breach Security Upgrade
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
DARKReading	4 months ago	More Legal Records Stolen in 2023 Than Previous 5 Years Combined
CERT-EU	9 months ago	Russia Arrests Three Alleged SugarLocker Ransomware Members
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
DARKReading	4 months ago	Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
BankInfoSecurity	4 months ago	4 Million People Affected by Debt Collector Data Theft Hack
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	4 months ago	GootLoader is still active and efficient
BankInfoSecurity	5 months ago	Millions Affected by Prudential Ransomware Hack in February
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION