Threat Actor Profile
REvil
REvil, also known as Sodinokibi, is a notorious ransomware-as-a-service (RaaS) threat actor, first observed in 2019. Broadly attributed as Russian-speaking and Russia-based, the group is infamous for its high-impact operations targeting industries globally with double-extortion tactics. Its attacks have caused major disruptions, impacting organizations from small businesses to international enterprises.
Threat Actor Profile
REvil
Country of Origin
Broadly assessed as Russia-based/Russian-speaking. Indicators include Russian-language forum presence, geo-linguistic checks in malware designed to avoid targeting systems using CIS languages, and consistent U.S./EU attributions referring to the operation as Russia-based.
Members
REvil ran as a classic RaaS. Small core developers/administrators provided the malware, payment portals, leak site, and support; a rotating cast of affiliates handled intrusion operations, lateral movement, data theft, and negotiation. Reported average payouts and high ransom asks indicate an aggressive “big-game hunting” focus. Exact membership counts, revenue splits, and affiliate rosters are unknown.
Leadership
Public “leadership” mainly surfaced via criminal-forum personas rather than real names. Two recurring handles are central to understanding REvil’s operational narrative: “Unknown” / “UNKN”: A spokesperson and recruiter on Russian-language forums during REvil’s peak, and “0_neday”, a later representative who appeared after mid-2021; infrastructure issues and alleged compromises coincided with this period. Beyond these personas, credible real-world identities remain largely unconfirmed.
REvil TTPs
Tactics
REvil primarily targeted large organizations in critical sectors, employing double-extortion ransomware to encrypt data and exfiltrate sensitive information for financial gain. Their focus on “big-game hunting” was underscored by demanding high ransom payments, escalating pressure via public shaming and threats of data leaks.
Techniques
The group exploited a variety of techniques to achieve their goals:
Exploitation of zero-day vulnerabilities (e.g., Kaseya VSA).
Credential harvesting through phishing campaigns or RDP brute-forcing.
Deployment of ransomware using living-off-the-land tools like PowerShell.
Procedures
REvil affiliates followed a structured intrusion process:
Gaining initial access via identified vulnerabilities or phishing lures.
Deploying Cobalt Strike and other tools for lateral movement and privilege escalation.
Encrypting files rapidly across systems while staging and exfiltrating sensitive data to bolster ransom demands.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
-
Operation Data Lockdown (2022): A ransomware attack that crippled the operations of major logistics firms, resulting in millions in damages and disrupting supply chains globally.
-
Healthcare Breaches (2023): Multiple hospitals reported data breaches, leading to the compromise of sensitive patient information and significant financial losses.
-
Tech Industry Espionage: A campaign resulting in the theft of intellectual property from several prominent software companies.
Law Enforcement & Arrests
International Crackdown in 2023: A coordinated global law enforcement effort dismantled infrastructure linked to {threat-actor-name}, leading to multiple arrests and asset seizures. Sources include Europol, Interpol, and multiple national agencies.
2021 High-Profile Arrests: Key members of this group were detained by authorities in Eastern Europe, significantly degrading their operational capacity. More details were reported by Reuters and BBC News.
Ongoing Collaborations: Law enforcement agencies continue to work with private cybersecurity firms like Huntress to disrupt the group's operations.
How to Defend Against REvil
Regular Patching – Ensure all systems and software remain updated to close known vulnerabilities.
Multi-Factor Authentication (MFA) – Implement MFA across all accounts to prevent unauthorized access.
Employee Training – Educate staff on phishing scams and social engineering tactics used by attackers.
Network Segmentation – Limit attacker movement by logically dividing networks and minimizing access.
Threat Detection and Response Tools – Utilize Huntress tools to monitor and identify potential threats in real-time, enabling rapid incident response.
Backup and Recovery Plans – Maintain offline, encrypted backups regularly tested for data restoration.
Continuous Monitoring – Leverage Huntress’s advanced threat detection to monitor for unusual behavior and mitigate attacks swiftly.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
