What Is REvil?

REvil, also known as “Sodinokibi,” was a group of Russian-speaking or Russian-based cybercriminals that once ran a highly successful ransomware as a service (RaaS) operation. REvil is short for “Ransomware Evil,” a title inspired by the Resident Evil media franchise. The group was believed to be an offshoot from a previous ransomware gang called GandCrab. The REvil/Sodinokibi ransomware is difficult to detect and highly evasive, making it a very potent and dangerous type of cyberattack. REvil ransomware has been responsible for several high-profile ransomware attacks on large enterprises, including the meat processing company JBS, the oil company Colonial Pipeline, the software company Kaseya, and a supplier of the tech giant Apple. The REvil ransomware group was active from 2019 until January 2022, when it was dismantled by law enforcement. Despite its demise, the influence REvil had on developing the RaaS business model continues to pose a significant threat to governments and organizations around the world.

Like other forms of ransomware, REvil attacks infiltrated the IT systems of organizations using a variety of techniques. Hackers using REvil relied on zero-day vulnerabilities in hardware and software, breaches of Remote Desktop Protocol (RDP) servers, and phishing emails that duped users into downloading malware to their devices. Once the REvil malware was downloaded, it encrypted files on servers and devices, preventing users from accessing business-critical data until ransom demands were met. Ransom notes usually demanded payment in bitcoin in exchange for decryption keys. Unlike other types of ransomware, REvil performed a double extortion, exfiltrating sensitive data before encrypting it and threatening to post or auction off the stolen data on its “Happy Blog” site unless the ransom was paid.

The cybercrime gang that created REvil relied on other cybercriminals called “affiliates” to distribute the ransomware and carry out attacks, with the original gang receiving 20% to 30% of the illegal proceeds.

Beginning in 2021, efforts by Russian authorities, the FBI, and private cybersecurity firms were able to damage the operations and reputation of the REvil group.

• July 2021: REvil websites and infrastructure disappeared from the internet, possibly due to efforts by Russian authorities. The FBI was able to help some victims restore their files using a decryption key.
• September 2021: A Romanian cybersecurity firm published a free universal decryptor utility for REvil/Sodinokibi ransomware. Malware researchers discovered a backdoor built into REvil malware that allowed the original members of the gang to cheat REvil affiliates out of ransomware payments, undermining the affiliates’ trust in REvil.
• October 21: REvil servers were hacked and forced offline.
• November 2021: Indictments from the United States Department of Justice led to the arrest of Ukrainian and Russian threat actors, who were charged with conducting ransomware attacks against multiple victims. The national police of Ukraine seized more than US$6 million tied to ransomware payments.
• January 2022: The Russian Federal Security Service reported that REvil had been dismantled and members of its gang were being charged.

Whether or not other members of the REvil cybercrime gang are still operating, the model created by REvil malware and its RaaS offering are likely to resurface in other types of ransomware threats.

The same cybersecurity methods and controls used to prevent other types of cybercrime and ransomware attacks should be effective against REvil attacks as well.

• Manage security policy centrally. Managing policy from one location allows security teams to take steps like preventing users from launching executables from local folders or deactivating macros in Microsoft Office. These are two steps that are crucial to blocking REvil attacks.
• Adopt a Zero Trust approach. By assuming that no person or system should be inherently trusted or granted access to IT assets, a Zero Trust approach to security limits the “blast radius” of a ransomware attack by preventing malware and threat actors from moving laterally to encrypt or compromise additional parts of the network.
• Segment the network and IT assets. Software-defined microsegmentation isolates individual assets and parts of the network to prevent attackers from moving laterally.
• Implement antivirus and anti-malware solutions. These technologies can help by monitoring email network traffic to filter out executable files or viruses. The latest antivirus solutions can neutralize many ransomware threats before they do damage.
• Conduct regular security awareness training. Human error often plays a critical role in ransomware attacks. Awareness programs on ways to recognize ransomware, phishing emails, and on best practices for optimal security hygiene should all be available for employee training.
• Encrypt data. When files are encrypted, a ransomware attack like REvil will not be able to steal and expose sensitive data.
• Deploy strong identity and access control. Limit who can access or modify data by using strong passwords and multi-factor authentication.
• Perform frequent backups. Regularly backing up files and keeping them in storage that’s disconnected from the network makes it easier to recover quickly from a ransomware infection without having to pay a ransom or permanently losing files.
• Update and patch hardware and software frequently. Setting a regular cadence for installing updates and patches can help remediate the vulnerabilities that attackers use to access systems.