8 minutes reading
Key Takeaways
- Fast phishing incident response reduces the impact of credential theft, malware, and account compromise.
- Employees should report suspicious emails immediately instead of deleting or ignoring them.
- Effective response plans combine user reporting, automated analysis, and rapid containment.
- Phishing simulations help organizations test and improve reporting behaviour over time.
- Continuous awareness training strengthens employee confidence in identifying and escalating threats.
REvil ransomware, also called Sodinokibi, is a Russia-linked ransomware-as-a-service (RaaS) group. The group hires out partners to launch attacks on its behalf. Partners keep 70 to 80% of each ransom. The core team takes the rest.
REvil first appeared in April 2019. Within two years, it became the world’s most active ransomware strain. It was behind 25% of all ransomware attacks between January and July 2021.
But REvil did not just lock files. It stole data first. Then it threatened to post that data if the victims refused to pay. This double extortion model put enormous pressure on firms, even those with working backups.
Who Is the REvil Ransomware Group?
REvil is not one person. It is a crime ring.
A core team builds and runs the ransomware. Partners pay to use it and launch their own ransomware attacks. Profits are split. This model made the REvil ransomware group fast, scalable, and hard to stop.
Researchers tied REvil to GandCrab, an earlier RaaS gang that shut down in 2019. An accused REvil member later said the code was built on top of an old codebase the group had acquired.
The group ran a dark website called “Happy Blog.” It posted stolen files there to push victims into paying. Even firms with solid backups pay to keep private data off the internet.
How Does REvil Ransomware Work?
REvil attacks are not automated. Real people run them from inside the network at every stage.
Initial access
Hackers get in through phishing emails, guessed RDP logins, or software flaws. The Kaseya attack used a zero-day bug in a remote tool. One flaw spread to over 2,000 firms at once.
Lateral movement
Once inside, the group moves through the network. They raise their access rights until they hit admin level. That gives them control over every linked machine.
Data theft
Before any locking happens, REvil steals private files. This is not an afterthought. Stolen data becomes the second lever in their extortion model.
Encryption
REvil uses Elliptic Curve Diffie-Hellman for its keys and Salsa20 to encrypt the files. This is faster than RSA and AES. Without the key, file recovery is not possible.
Backup destruction
REvil deletes Shadow Copies and any backup it can reach on the network. It kills database servers, email clients, and Office tools. This wipes the victim’s recovery path before the ransom note appears.
Ransom demand
A note appears on every locked machine. It links to a TOR payment site with a cutoff date. Miss it and the ransom doubles. Refuse, and the stolen data goes public.
REvil Ransomware Timeline (2019 to 2022)
| Date | Event |
|---|---|
| April 2019 | REvil ransomware appears for the first time. Researchers link it to GandCrab. |
| 2019 to 2020 | The REvil ransomware group builds its partner network and targets larger firms. |
| March 2021 | Acer receives a $50M ransom demand. |
| April 2021 | Apple supplier Quanta Computer is attacked. Unreleased Apple product designs are stolen. |
| June 2021 | JBS pays $11M in Bitcoin to restore its operations. |
| June 2021 | Invenergy suffers a breach, including the CEO’s private emails. |
| July 2, 2021 | The Kaseya attack hits 2,000 firms. REvil asks for $70M. |
| July 13, 2021 | REvil’s servers go dark without any notice. |
| September 2021 | REvil comes back online. The FBI later confirms it had hacked REvil’s own servers. |
| October 2021 | REvil shuts down a second time after its servers are reportedly breached. |
| January 2022 | Russia’s FSB catches 14 REvil ransomware group members. |
| 2022 onwards | REvil-linked activity continues under new names. |
Major REvil Ransomware Attacks
The REvil ransomware group issued the same threat to every target. Pay the ransom or we post your data. Here are the worst REvil ransomware attacks on record.
Renewable Energy Company Invenergy
Chicago-based clean energy firm Invenergy was hit by REvil ransomware in June 2021. The company launched a review as soon as it found the breach.
The REvil ransomware group posted on its dark web blog. It claimed to have stolen four terabytes of data, including project files and contracts.
The attack went further than most. The group said it had accessed private emails and photos of CEO Michael Polsky. It also claimed details about his divorce. The aim was clear. Push the person, not just the firm.
Tech Giant Acer
Taiwanese electronics maker Acer was hit by a $50 million REvil ransomware attack in March 2021. It was the largest ransom demand at the time.
The REvil group posted proof on its leak blog. The files showed money sheets, bank balances, and bank letters.
The group offered a 20% cut if Acer paid before the cutoff date. It also promised a decryptor, the deletion of all stolen files, and a report on the flaw in return. Acer never said whether it paid. In a public statement, the firm said it had filed the case with the relevant bodies.
Software Provider Kaseya
In July 2021, Kaseya suffered one of the worst REvil ransomware attacks on record. The group hit a zero-day flaw (CVE-2021-30116) in Kaseya VSA, a remote tool used by managed service providers (MSPs).
MSPs use VSA to manage multiple client networks simultaneously. The attack spread fast. Up to 2,000 firms across 17 countries were hit.
REvil posted on Happy Blog and claimed that over 1 million devices had been locked. It asked for $70 million in Bitcoin for a single key to unlock them all.
The fallout was wide. Swedish food chain Coop had to close most of its 800 stores for a full day. It’s still software running on an affected provider. Dutch IT firms Hoppenbrouwer Techniek and VelzArt were also among those hit.
The FBI got the key and gave it to Kaseya. But weeks had already passed, and the damage was done.
Meat Supplier JBS
JBS, the world’s largest meat firm, was hit by REvil ransomware in May 2021. The attack shut down cattle work at all US plants for a full day. That pushed up food prices nationwide.
JBS paid $11 million in Bitcoin. CEO Andre Nogueira spoke about it openly: “This was a very hard decision to make for our company and for me. We felt this had to be done to stop any risk to our clients.”
JBS got most systems back using its own backups. It was fully running again within 24 hours. But the ransom was still paid.
Apple Supplier Quanta Computer Inc
Quanta Computer Inc, one of Apple’s key makers, was hit by the REvil ransomware group in April 2021. The stolen data included design sheets for Apple products not yet released, such as new MacBooks.
The group timed the post to Apple’s Spring Loaded event. By the time the event ended, REvil had already put product designs online.
Quanta refused to pay the $50 million demand. So REvil turned to Apple. It threatened to post new files every day unless Apple paid by May 1, 2021. No payment was ever confirmed.
How Was the REvil Ransomware Group Caught?
Russia’s FSB arrested 14 members of the REvil ransomware group in January 2022. Raids took place across Moscow, St. Petersburg, and the Moscow Oblast.
Agents seized over 426 million rubles, $600,000 in US dollars, 500,000 euros, 20 luxury cars, and a range of tech gear.
Russia rarely acts on cyber gangs that hit foreign targets. The arrests came after a call between US President Biden and Russian President Putin. Biden reportedly pushed hard for action against ransomware groups on Russian soil.
Separately, the US charged Yaroslav Vasinskyi, a Ukrainian man linked to the Kaseya attack. He was caught in Poland and sent to the United States.
Is REvil Ransomware Still Active?
The core group is gone. The code is not.
Researchers found ransomware strains in 2022 and 2023 that shared large parts of REvil’s code. The group’s source code was leaked and used as a base for new attacks. Former partners likely kept working under new names.
The threat REvil built has not gone away. It has simply changed hands.
How to Protect Against REvil Ransomware Attacks
REvil attacks through tech gaps and through people. Defense needs to cover both.
Patch fast. The Kaseya attack used an unpatched flaw. Patch internet-facing systems and remote tools first. Apply key updates within 24 to 72 hours of release.
Use multi-factor authentication (MFA). REvil gets in through stolen logins and phishing. MFA blocks login-based attacks cold. Apply it to all remote access, email, and admin accounts.
Lockdown RDP. Remote Desktop Protocol is one of the most common entry points for ransomware. Turn it off where it is not needed. Where needed, limit access by IP address and require MFA.
Split your network. Network segmentation limits how far a hacker can move once they get in. Keep payroll, backups, and key servers apart from general machines.
Keep offline backups. REvil deletes any backup it can reach on the network. Your only safe backup is one that it cannot reach. Test your restore process often. An untested backup is not a backup.
Train your staff. Most REvil ransomware attacks start with a phishing email. Security awareness training for employees is one of the most cost-effective defenses available. Run ransomware awareness simulations to test how your staff reacts before a real attack does.
Build an incident response plan. Decide what to do before an attack hits. Who gets called? Who can pull systems offline? Where are the backups? Clear answers cut response time when every minute matters.
Threatcop’s Security Awareness Training platform (TSAT) helps teams train against phishing, ransomware, and social attacks through live simulations and targeted learning modules.
Conclusion
REvil ransomware caused more damage in less time than almost any group before it. It hit food firms, tech giants, energy groups, and software makers. It built a crime model that others have since copied.
The group is largely gone. The tactics are not.
Ransomware attacks keep evolving. Former REvil partners are active under new names. The entry points remain the same: phishing emails, weak logins, unpatched tools, and staff who have never seen a real attack.
Train your people before attackers test them. Threatcop’s ransomware awareness and simulation tools help your team spot and stop real threats before they become full incidents.
FAQs
How does REvil encrypt files?
Unlike most ransomware, REvil uses Elliptic-curve Diffie-Hellman key exchange and Salsa20 encryption. It also deletes backups and shadow copies to prevent file recovery.
What was REvil's biggest attack?
The Kaseya VSA attack in July 2021 was among the most far-reaching, affecting thousands of organizations globally, with REvil demanding a massive Bitcoin ransom for a universal decryption key.
Senior Writer
Shantanu is an accomplished content strategist and technology enthusiast at Threatcop Inc. With a knack for translating technical intricacies into reader-friendly narratives, Shantanu contributes to making cybersecurity insights both informative and enjoyable for tech enthusiasts and general audiences alike.
