Ransomware Attacks: A Closer Look at REvil


Published on Jul 3, 2023   —   7 min read

Understanding the Tactics and Techniques of a Major Cyber Threat


Welcome, cybersecurity enthusiasts! Prepare to journey into the shadowy realm of ransomware, a digital specter that has loomed large over the world in recent years. Our exploration today focuses on a particularly notorious entity in this landscape: REvil. Known for their audacious attacks and astronomical ransom demands, REvil has etched a formidable reputation in the annals of cyber threats. Are you ready to navigate the intricate maze of REvil's tactics, techniques, and procedures (TTPs)? Let's delve deeper into the underworld of one of the most prolific ransomware groups in operation today.

Who is REvil?

REvil, also known as Sodinokibi, is a ransomware group first identified in April 2019. Suspected to have Eastern European roots, this group has gained notoriety for its audacious cyberattacks across a broad range of industries, and for its steep ransom demands that have reportedly reached up to $50 million.

REvil operates under the ransomware-as-a-service (RaaS) model, a cybercrime business strategy where a core team is responsible for developing the ransomware, while affiliates carry out the attacks and share the ransom proceeds. This model allows REvil to launch a large number of attacks, broadening their reach and impact.

The group has been linked to high-profile attacks on several major organizations. Notable victims include JBS S.A., a multinational meat processing company, and Kaseya, a global IT firm. These attacks often involve a two-step strategy: first, data is exfiltrated from the victim's network, and then the network is encrypted. The group threatens to leak the stolen data if the ransom isn't paid, increasing pressure on the victims.

The resilience of REvil has been tested. In October 2021, the group's operations were reportedly disrupted by an unknown entity, leading to speculation about possible action by law enforcement or rival cybercriminals. Despite this setback, REvil appeared to be back in action by December 2021, demonstrating their ability to withstand adversity.

The exact identity of the individuals behind REvil remains unclear, adding to the group's mystique. However, their significant impact on the world of cybersecurity is undeniable. As REvil continues to adapt and evolve, they underscore the need for robust cybersecurity measures and proactive defense strategies.

Tactics, Techniques, and Procedures of REvil

REvil's success is largely due to their sophisticated Tactics, Techniques, and Procedures (TTPs). They typically gain initial access through phishing emails or by exploiting vulnerabilities in public-facing applications. Once inside a network, they move laterally, escalating their privileges until they have access to critical systems.

Initial Access:

REvil employs a blend of sophisticated and time-tested techniques to gain a foothold in its targets' systems. Among these, spear-phishing emails are a favored instrument. Unlike standard phishing, spear-phishing is a high-precision attack, custom-tailored to deceive specific individuals or entities. These malicious emails carry harmful attachments or links, which, when interacted with, can trigger the installation of the REvil ransomware.

Equally noteworthy is REvil's knack for exploiting vulnerabilities in public-facing applications. In past instances, the group has capitalized on weaknesses in Oracle WebLogic servers and Pulse Secure VPN devices, turning software flaws into gateways for unauthorized access.

Lateral Movement and Privilege Escalation:

Once inside a network, REvil unleashes a suite of tools to navigate laterally across the infected infrastructure. Tools such as PowerShell and Mimikatz allow the ransomware to spread its influence, reaching and compromising as many systems as possible.

Alongside lateral movement, REvil exercises a strong emphasis on privilege escalation. The group seeks to acquire higher-level privileges on the infected systems through techniques like credential dumping and the exploitation of known software vulnerabilities. This elevated access further solidifies their control and paves the way for the next phase of their attack.

Ransomware Deployment:

With the groundwork laid, REvil deploys their ransomware payload, leading to the mass encryption of files across the infected systems. A ransom demand follows, typically requesting payment in exchange for the decryption key.

In a particularly ruthless twist, REvil has been known to exfiltrate sensitive data before encrypting the files and threaten to leak this information if the ransom is not paid - a strategy known as double extortion.

An illustrative case of these TTPs in action is REvil's attack on JBS. In this incident, the group penetrated the company's defenses, likely using one of their typical initial access methods. They then maneuvered across and escalated their privileges within JBS's network before unleashing their ransomware. This led to substantial operational disruption and a staggering $11 million ransom demand.

While the above outlines REvil's TTPs up until September 2021, it's worth noting that threat actor tactics can evolve. Therefore, it's crucial to stay updated with the latest cybersecurity resources and developments for the most accurate and timely information.

REvil's Ransomware: Sodinokibi

Sodinokibi, the preferred weapon of REvil, is a formidable piece of ransomware that has caused significant damage across the globe. It's not just its potency that makes it a threat, but also its adaptability and the sophistication of its design.

Encryption Mechanism:

Sodinokibi employs robust encryption algorithms to lock victims' files, rendering them inaccessible. The encryption process is swift and efficient, often leaving victims unaware until it's too late. The encryption key, which is necessary for decrypting the files, is held by the attackers, who demand a ransom in exchange for it. The strength of the encryption algorithms used makes it virtually impossible to break the encryption without the specific key, forcing many victims into a corner where they feel their only option is to pay the ransom.

Shadow Copy Deletion:

Adding to its destructive capabilities, Sodinokibi includes a mechanism to delete shadow copies on the Windows operating system. Shadow copies are essentially backup copies or snapshots of computer files or volumes, even when they are in use. They are a critical part of data recovery as they can be used to restore data to an earlier point in time. By deleting these shadow copies, Sodinokibi prevents victims from easily recovering their files, further increasing the pressure on them to pay the ransom.

Evolution Over Time:

A defining feature of Sodinokibi is its ability to evolve over time. The threat actors behind it are constantly working to improve the ransomware, making regular updates to help it evade detection by antivirus software and to thwart analysis by cybersecurity researchers. This constant evolution makes Sodinokibi a moving target, increasing the challenge for those working to defend against it.

Modular Design:

Sodinokibi is also known for its modular design. This means that it is composed of separate components that can be independently updated or modified. This modular structure allows the threat actors to easily add new features or change existing ones, further contributing to Sodinokibi's adaptability and longevity.

In summary, Sodinokibi is a potent, adaptable, and sophisticated piece of ransomware. Its robust encryption, ability to delete shadow copies, constant evolution, and modular design all contribute to its effectiveness, making it a significant threat in the cybersecurity landscape.

Mitigation Strategies Against REvil Attacks

To effectively counteract the threats posed by REvil, a comprehensive and multi-layered cybersecurity strategy is indispensable. This strategy should encompass a variety of measures, each designed to address different aspects of the threat.

Backup Maintenance:

One of the most crucial defenses against ransomware attacks is maintaining up-to-date backups of all critical data. These backups should be stored in a location separate from the main network to prevent them from being compromised in the event of an attack. Regularly testing these backups is also essential to ensure that they can be successfully restored if needed.

User Education:

Given that REvil often gains initial access through phishing emails, educating users about the risks and signs of these deceptive communications is vital. Regular training sessions can help users recognize and avoid phishing attempts, reducing the chances of an initial breach.

Network Segmentation:

Implementing network segmentation can significantly limit the damage of a REvil attack. By dividing the network into separate segments, lateral movement can be restricted, preventing REvil from accessing critical systems if they gain initial access to the network.

System Patching:

Regularly updating and patching systems is another key defense measure. REvil often exploits known vulnerabilities in software to gain access to a network, so keeping all software up-to-date can close these potential entry points.

Infection Response:

In the unfortunate event of a REvil infection, swift and decisive action is required. Affected systems should be immediately isolated to prevent the ransomware from spreading to other parts of the network. All network activity should be carefully monitored to identify any signs of further intrusion.

Professional Assistance:

Given the sophistication of REvil's ransomware, contacting a cybersecurity firm for assistance can be advisable. These firms have the expertise and tools necessary to remove the ransomware, recover data, and identify any remaining vulnerabilities in the network.

In conclusion, defending against REvil requires a robust, comprehensive, and proactive cybersecurity strategy. By combining these measures, organizations can significantly reduce their risk of falling victim to a REvil attack.


The escalating trend of ransomware attacks, spearheaded by groups like REvil, underscores the critical need for robust cybersecurity measures. In this dynamic and ever-evolving threat landscape, continuous vigilance and proactive defense are more vital than ever.

However, it's worth noting that in the long term, groups like REvil are inadvertently contributing to the strengthening of global cybersecurity. By exploiting vulnerabilities and exposing weaknesses in systems, they are forcing companies to take a hard look at their security measures and prompting them to invest in fortifying their defenses. In a sense, they are the adversaries that keep us on our toes, pushing us to continually improve and adapt.

As we traverse this intricate realm of cybersecurity, knowledge remains our most potent weapon. Understanding the tactics and techniques of groups like REvil equips us to better defend against them. It's a constant game of cat and mouse, but one that is leading to the development of more secure systems and more informed users.

So, as we navigate this complex world, remember to stay informed, stay updated, and most importantly, stay secure. In the face of threats like REvil, these are our best defenses. And remember, every challenge we face is an opportunity to learn and grow stronger. In this way, we can view REvil not just as a threat, but also as a catalyst for improvement in our collective cybersecurity.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.