REvil
REvil, also known as Sodinokibi or Sodin, is a ransomware family operated as a ransomware-as-a-service (RaaS) platform. Deployments were first observed in April 2019, including exploitation of Oracle WebLogic vulnerability CVE-2019-2725, and the malware has also been executed via malicious Microsoft Word email attachments. REvil has been associated with major ransomware activity including the Kaseya VSA supply-chain attack, where it exploited a zero-day in Kaseya VSA Server and demanded $70 million in Bitcoin for a universal decryptor.
Technically, REvil is a configurable Windows ransomware family that stores RC4-encrypted JSON configuration data in a PE section, decrypts strings at runtime, dynamically resolves imports, and communicates with controllers over HTTPS; other reporting in the content also notes HTTP and HTTPS use for C2 and that C2 communications have been encrypted with ECIES. It can attempt privilege escalation, including historical use of CVE-2018-8453 and repeated ShellExecuteW prompts for elevation. Before encryption it can stop or delete services and terminate processes matching configured expressions, delete volume shadow copies using vssadmin, bcdedit, or PowerShell WMI methods, and then encrypt files on local and network storage. Encrypted files receive a random 5-10 character alphanumeric extension, ransom notes are dropped in affected directories, and a BMP image is set as the desktop background. The encryption workflow uses Curve25519, Salsa20, SHA-3, AES, and CRC32, and metadata is appended to encrypted files. REvil stores multiple encrypted victim key values in the registry and uses a global mutex named Global\1DE3C565-E22C-8190-7A66-494816E6C5F5.
The malware includes regional exclusion logic: it checks system language and keyboard layout and exits when both match whitelisted values including Russian, Ukrainian, Belarusian, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Estonian, Latvian, Lithuanian, Tajik, and Persian. Earlier versions could persist via a registry key when configured to do so, though that persistence mechanism was removed in version 2.1.
The content links REvil to multiple threat-actor relationships and ecosystem overlaps. Intel 471 assessed it was likely a continuation of GandCrab with new software but operated by the same individuals, and the actor advertising/promoting the service was identified as Unknown/UNKN. Affiliates reportedly received 60-70% of ransom payments. Other reporting states former REvil members handled the 'locking' operations for BlackSuit, and FIN7 was described as having expanded into ransomware deployment through affiliations with REvil and Maze. REvil-related delivery tradecraft is also linked to Gootloader/Gootkit campaigns, and the family has used DLL sideloading, including abuse of the Windows Defender binary MsMpEng.exe to load a malicious DLL containing ransomware.
Known artifacts and indicators directly mentioned in the content include ransom notes and desktop background changes, the registry value QaUXNv2P used with victim key handling, the SOFTWARE registry subkey used to store encrypted victim key material, the mutex Global\1DE3C565-E22C-8190-7A66-494816E6C5F5, and analyzed sample SHA-256 hashes 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1, 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fc, and ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe. The content also references possible REvil ESXi locker activity under the name Revix, though one cited report could not definitively conclude the connection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. | REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. | REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
Previously, Pulse Connect Secure has been targeted by a variety of threat actors including ransomware groups and other nation-state aligned threat actors over the last five years: CVE-2019-11510 Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability. | We’ve also published several blog posts about vulnerabilities in Pulse Connect Secure: ... CVE-2019-11510: Critical Pulse Connect Secure Vulnerability Used in Sodinokibi Ransomware Attacks
The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks. | In early 2021, Quanta Computer, a Taiwanese technology manufacturer and Apple partner, was compromised by the REvil ransomware group... The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
In early 2021, Quanta Computer, a Taiwanese technology manufacturer and Apple partner, was compromised by the REvil ransomware group... The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks. | The 2021 Kaseya VSA compromise by REvil used several zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30120, which allowed them to bypass authentication requirements to access VSA servers en route to deploying ransomware in up to 1500 downstream client networks.
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.
Groups observed using it
12 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
One group known for pivoting is Evil Corp., the gang behind Revil. Revil’s tactics align with why a threat group would target an insurance provider.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
Once the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
Windows versions 5.2 and later, under PowerShell: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
Windows versions 5.1 and earlier: cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
4 techniques
Persistence
Once the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
Tetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Privilege Escalation
6 techniques
Privilege Escalation
Once the code was in place, a task named “RanCommand” was performed, effectively starting the Sodinokibi encryption process across the network.
It then performs a process hollowing on that executable to load the Delphi component.
REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host.
Tetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
Stealth
11 techniques
Stealth
REvil ransomware incorporates techniques to make the task of static analysis more difficult for an analyst. Most of the strings used during execution are decrypted at runtime only when needed.
The behavior of the following samples was analyzed for this report: Sample SHA256 REvil packed ... REvil not packed ...
During its initialization phase, REvil starts by dynamically resolving the imports it needs to function correctly... each value is decoded and resolved to the correct API... additional APIs are resolved by their names with the help of the GetProcAddress API.
It then performs a process hollowing on that executable to load the Delphi component.
Finally, REvil ransomware marks its binary code for deletion during the next reboot and terminates execution.
Tetra was able to confirm that the “Tech Support” account, and all its administrative-level privileges, was compromised. This single user gave the threat actor full access to the network.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
One popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins"... LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.
With everything in place, REvil creates a global mutual exclusion object (mutex) with a hard-coded name... This is used to ensure only a single instance of the ransomware sample is running.
For the check to succeed and REvil to exit, both a whitelisted system language and a whitelisted keyboard layout must be present. Otherwise, the ransomware continues its execution normally.
Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API... the obfuscated Cobalt Strike beacon... gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Discovery
5 techniques
Discovery
Then it will terminate all processes with names that match the elements of the prc JSON array...
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
For the check to succeed and REvil to exit, both a whitelisted system language and a whitelisted keyboard layout must be present. Otherwise, the ransomware continues its execution normally.
Next, REvil checks the configuration field dbg to see if it’s running in debug mode. If that is not the case, geolocation checks based on the system’s language and the keyboard layout are conducted so the ransomware does not attempt to encrypt files on whitelisted systems.
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
Exfiltration
2 techniques
Exfiltration
Exfiltrates encrypted information on the infected host to remote controllers.
On top of client applications such as those provided by Mega, many ransomware families may use other software or built-in operating system utilities to exfiltrate data. We’ll use Mega as the example here... you can look for execution of any process that is not chrome.exe ... initiating a network connection to the domains mega.io or mega.co.nz .
Impact
4 techniques
Impact
First, it will try to stop and delete services if the names match one of the regular expressions in the svc JSON configuration list... | Then it will terminate all processes with names that match the elements of the prc JSON array, for instance: "prc":[ "w3wp", "thunderbird", "mydesktopqos", "powerpnt", "outlook" ... ]
Finally REvil will delete the volume shadow copies. The way this is accomplished depends on the Windows version: Windows versions 5.1 and earlier: cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures Windows versions 5.2 and later, under PowerShell: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family listed among classes with sparse training data in the evaluation.
Ransomware family/operator referenced as using DLL sideloading with a legitimate Windows Defender binary to load a malicious DLL containing ransomware.
Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...
Referenced as a prior ransomware group whose former members were said to handle encryption operations for BlackSuit.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.