REvil

REvil
Kin9r00t · CC BY-SA 4.0 · source
Name	REvil
Formation	2019
Type	Cybercriminal syndicate
Purpose	Ransomware operations, data extortion
Region served	International
Leader	Alleged cyber operators
Affiliates	Ransomware-as-a-Service affiliates
Methods	Encryption, data theft, extortion, double extortion

REvil REvil was a transnational cybercriminal ransomware collective that rose to prominence in the late 2010s and early 2020s, notable for high-value attacks on corporate, technology, healthcare, and government-associated targets. The group employed a Ransomware-as-a-Service model, combining operators, affiliates, and data-leak pressure tactics to extract payments and media attention. Investigations by cybersecurity firms, national law-enforcement agencies, and international coalitions attributed a string of disruptive intrusions and extortion campaigns to the collective.

Background and Origins

REvil emerged amid a proliferation of ransomware families alongside contemporaries such as WannaCry, NotPetya, Ryuk (ransomware), LockBit, and Conti (ransomware). Early reporting and technical analysis traced code similarities and infrastructure overlap to cybercriminal forums and marketplaces like darknet markets, XMPP-based communications, and affiliate ecosystems resembling models used by Maze (ransomware), DoppelPaymer, and Egregor. Security vendors including Kaspersky, SentinelOne, CrowdStrike, Emsisoft, and Symantec documented initial samples and ransom notes that matched tactics seen in other Eastern European- and Eurasian-linked operations. Speculation about geographic origin referenced regions associated with cybercrime groups investigated by agencies such as FBI, Europol, NCA (United Kingdom), and Roskomnadzor.

Modus Operandi

The collective used a combination of initial access brokers, exploitation of remote-access technologies, and custom-built encryptors. Intrusions often began via compromised credentials from breaches involving Microsoft Exchange Server, VPN appliances, or vulnerabilities in software from vendors like Kaseya, Pulse Secure, and Citrix Systems. Once inside, operators leveraged tools and frameworks such as Cobalt Strike, Mimikatz, PsExec, and living-off-the-land binaries tied to Windows PowerShell to move laterally and escalate privileges. The group implemented "double extortion": encrypting systems and threatening to publicly release exfiltrated data on leak sites modeled after underground boards such as Wall of Shame-style portals. Payment demands typically requested cryptocurrencies including Bitcoin, Monero, or conversion services tied to mixing services referenced in analyses by Chainalysis and CipherTrace.

Notable Attacks and Impact

High-profile incidents attributed to the group included attacks on managed-service providers and supply-chain targets, most famously an intrusion involving Kaseya that impacted numerous small and medium enterprises through compromised software updates. Other reported victims and sectors encompassed organizations linked to JBS S.A., Travelex, healthcare providers, law firms, and technology suppliers. Consequences included operational shutdowns, data breaches, and legal fallout involving regulators such as FTC, SEC, and national privacy authorities including ICO (United Kingdom). Economic and political reactions involved statements from heads of state and ministries such as White House cybersecurity advisors, United States Department of Justice, and foreign ministries, prompting emergency incident response from firms like Mandiant and Palo Alto Networks. Media coverage appeared in outlets including The New York Times, The Washington Post, and BBC News.

Law Enforcement Response and Disruptions

International law-enforcement efforts coordinated through entities such as Europol, FBI, INTERPOL, and national cybercrime units led to takedowns, arrests, and sanctions targeting infrastructure, cryptocurrency exchanges, and facilitators. Operations involved digital forensics by private companies cooperating with public agencies, asset seizures guided by FinCEN intelligence, and mutual legal-assistance treaties with affected states. Notable actions included disruption of leak sites, seizure of command-and-control servers, and targeted arrests linked to investigations by prosecutors in jurisdictions including United States District Court, Russian Federal Security Service, and European magistrates. Responses also prompted policy discussions within NATO and industrial cybersecurity guidance from CISA.

Attribution and Leadership

Attribution efforts combined malware analysis, infrastructure tracking, human intelligence, and blockchain tracing performed by organizations like Recorded Future, Flashpoint, and Microsoft Threat Intelligence. Researchers identified patterns of code reuse, ransom-note language, and operational cadence consistent with criminal networks originating from regions that have historically produced high-volume cybercriminal activity, including parts of Eastern Europe and the CIS. Open-source investigations and indictments suggested hierarchical structures with administrators, affiliates, and money-laundering facilitators, drawing comparisons to known syndicates investigated in cases involving Europol Operation Virgo and prosecutions by the United States Attorney General offices.

Influence on Ransomware Ecosystem

The group's adoption of Ransomware-as-a-Service and double-extortion techniques accelerated similar business models across threat actors such as LockBit operators, Clop affiliates, and other ransomware families. Their high-visibility incidents influenced corporate cyber-insurance practices, board-level risk assessments, and regulatory proposals in bodies like European Commission and national cybersecurity strategies. Security industry responses included improved threat-hunting playbooks, coordinated disclosure practices among vendors such as Microsoft, Cisco Talos, and Trend Micro, and bolstered public-private partnerships exemplified by collaborations between CISA and private incident responders.

Category:Ransomware groups