Home/Threat Actor/REvil
Threat Actor

REvil

revil_sodinokibi · russia_speaking_cybercrime · active since 2019

REvil / Sodinokibi (Sodin ransomware / Pinchy Spider / GandCrab Successor / G0124) was one of the most operationally prolific ransomware operations of the 2019-2021 period, a financially- motivated organized cyber-criminal cluster operating from Russia from approximately April 2019 through October 2021 (approximately thirty months of sustained operations), widely treated by vendor consensus as operational successor to the earlier GandCrab ransomware operation (active 2018-2019), with strongest formal- attribution profile of any 2019-2021 ransomware operation grounded in multiple Western and Russian law-enforcement actions: (1) November 8, 2021 US DOJ indictments of Yaroslav Vasinskyi (Ukrainian national, born July 18, 1999, arrested at Polish- Ukrainian border October 8, 2021, extradited to US March 2022, pleaded guilty April 2024, sentenced May 2024 to thirteen years and seven months federal prison plus ~$16M USD restitution) and Yevgeniy Polyanin (Russian national, sanctions-designated by US Treasury OFAC same date, remains in Russia)

(2) operationally unusual January 14, 2022 Russian FSB arrests of fourteen REvil members in Moscow + St. Petersburg + Leningrad, temporary departure from Russian-government historical pattern of not pursuing cybercrime operators targeting Western victims, apparently motivated by US-Russia diplomatic engagement on the Kaseya attack including the June 16 2021 Biden-Putin Geneva Summit discussions, with subsequent Russia-Ukraine war effectively ending US-Russia counter-cybercrime cooperation.

most operationally consequential cluster operation the July 2-4, 2021 Kaseya VSA supply-chain attack exploiting CVE-2021-30116 zero-day affecting ~1,500+ downstream organizations globally primarily through MSP-targeting with cascading impact across ~20 countries (Coop Sweden closing ~800 stores) and unified $70M USD ransom demand , among the largest single ransom demands in the publicly-tracked record.

other high-profile victims including Travelex (Dec 2019, ~$2.3M USD ransom), Grubman Shire Meiselas & Sacks (May 2020), JBS Foods (May 30 2021, world's largest meat-processing company, $11M USD ransom payment confirmed), Acer (March 2021, $50M USD demand), Quanta Computer Apple supplier (April 2021, ~$50M USD demand)

effectively terminated operations October 2021 following FBI disruption activity and operator-initiated infrastructure shutdown, brief April-May 2022 operational resumption attempted did not sustain.

russia_speaking_cybercrime confidence: high 22 aliases MITRE ATT&CK G0115 ↗
Sigma rules204 YARA rules48 Live IOCs15 CVEs exploited12

Profile

REvil / Sodinokibi (also tracked as Sodin ransomware, Pinchy Spider [CrowdStrike], GandCrab Successor, and MITRE ATT&CK G0124) was one of the most operationally prolific ransomware operations of the 2019-2021 period, a financially-motivated organized cyber-criminal cluster operating from Russia from approximately April 2019 through October 2021 (approximately thirty months of sustained operations). The cluster is widely treated by modern vendor consensus as the operational successor to the earlier GandCrab ransomware operation (active 2018-2019, one of the earliest commercially-successful ransomware-as-a- service operations) based on substantial technical similarity in tooling and operational tradecraft.

The cluster has the strongest formal-attribution profile of any 2019-2021 ransomware operation grounded in multiple Western and Russian law-enforcement actions: First, November 8, 2021 US DOJ unsealing of indictments of two REvil members
  • Yaroslav Vasinskyi (Ukrainian national, born July 18, 1999, arrested at Polish-Ukrainian border October 8, 2021, subsequently extradited to US March 2022, pleaded guilty April 2024, sentenced May 2024 to thirteen years and seven months federal prison plus ~$16M USD restitution)
  • Yevgeniy Polyanin (Russian national, sanctions-designated by US Treasury OFAC same date, remains in Russia) The Vasinskyi arrest and subsequent prosecution represented one of the most operationally significant individual-operator- attribution outcomes in the publicly-tracked cybercrime record alongside the FIN7 Dunaev/Hladyr/Kolpakov/Witte prosecutions and the Evil Corp Yakubets/Turashev OFAC sanctions. Second, operationally unusual January 14, 2022 Russian FSB arrests of fourteen REvil members in Moscow, St. Petersburg, and Leningrad. Russian authorities historically have not pursued cybercrime operators targeting Western victims, the REvil FSB arrests represented a temporary departure from that pattern apparently motivated by US-Russia diplomatic engagement on the Kaseya attack including the June 16, 2021 Biden-Putin Geneva Summit discussions. The subsequent Russia-Ukraine war (beginning February 24, 2022) effectively ended US-Russia counter-cybercrime cooperation, and the post-January-2022 status of the FSB-arrested REvil members has been analytically open. The FSB arrests represent a meaningful operational-doctrine data point about Russian-government counter-cybercrime capability when political conditions support such action. The cluster's most operationally consequential single operation was the July 2-4, 2021 Kaseya VSA supply-chain attack, one of the most operationally consequential supply-chain ransomware operations in the publicly-tracked record. REvil exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA (Virtual System Administrator) remote monitoring and management software to deploy REvil ransomware to approximately 1,500+ downstream organizations globally, primarily through managed-service- providers (MSPs) using Kaseya VSA to remotely-administer their customer environments.
The attack
  • Began July 2, 2021 (US Independence Day weekend, deliberately timed to maximize defender response delay)
  • Affected MSPs in approximately twenty countries.
  • Had cascading impact on small-and-medium-business customers globally (including Coop supermarket chain in Sweden which closed ~800 stores for multiple days)
  • Demanded a unified $70M USD ransom for universal decryption across all victims, among the largest single ransom demands in the publicly-tracked record.
  • Contributed substantially to elevated international policy attention to ransomware as critical-infrastructure issue and directly informed the June 16, 2021 Biden-Putin Geneva Summit ransomware discussions.
  • Kaseya subsequently obtained a universal decryption key (reportedly via FBI provision) enabling Kaseya VSA customer recovery without ransom payment Other high-profile documented REvil victims include:.
  • Travelex (December 31, 2019, ~$2.3M USD ransom reportedly paid; Travelex parent Finablr subsequently experienced sustained operational difficulties partially attributed to the attack)
  • Grubman Shire Meiselas & Sacks (May 2020, US entertainment- and-celebrity law firm, ~756GB of client data claimed stolen)
  • JBS Foods (May 30.
  • June 2021, largest meat-processing company globally with US/Canadian/Australian operations disrupted, $11M USD ransom payment confirmed)
  • Acer (March 2021, $50M USD ransom demand)
  • Quanta Computer (April 2021, ~$50M USD ransom demand, Apple supplier with Apple product information disclosed)
  • HX5 (US defense-industrial-base contractor, January 2020)
  • and approximately 800+ additional commercial victims during the operational lifespan Operationally REvil's initial-access tradecraft centered on:.
  • Spear-phishing with weaponized attachments.
  • Exploitation of disclosed n-day vulnerabilities (notably Pulse Connect Secure CVE-2019-11510, Citrix ADC CVE-2019- 19781, vSphere CVE-2021-21972)
  • Managed-service-provider (MSP) targeting tradecraft, compromise of MSP environments enabling downstream attacks against the MSP's customer organizations (operationally distinctive at time of emergence, though subsequently replicated by Cl0p MOVEit Transfer mass-exploitation and other supply-chain ransomware operations)
  • Affiliate-recruited credential theft and underground- marketplace credentialed access The cluster effectively terminated operations in October 2021 following FBI disruption activity and operator-initiated infrastructure shutdown. Brief operational resumption attempted in April-May 2022 did not sustain. The REvil brand has not subsequently been operationally active under that identity, though personnel are widely assessed to have surfaced under other cluster identities consistent with the broader Russia- speaking organized cybercrime ecosystem successor-diaspora pattern. A handful of operational notes: First, the cluster represents one of the most operationally consequential ransomware case studies in the publicly-tracked record. The Kaseya VSA supply-chain attack alone represents one of the most operationally consequential cyber-criminal operations against critical-infrastructure-adjacent supply chains in the publicly-tracked era. The JBS Foods, Colonial Pipeline (DarkSide, same period, covered as alphv_blackcat.yaml predecessor), and Kaseya VSA attacks collectively from May-July 2021 represented the most operationally consequential ransomware quarter in the publicly-tracked record and directly drove substantial elevated US federal-government and international policy attention to ransomware as critical-infrastructure issue. Second, the Vasinskyi prosecution outcome is one of the most operationally significant individual-operator-attribution outcomes in the publicly-tracked cybercrime record. The thirteen-years-and-seven-months federal prison sentence (May 2024) plus ~$16M USD restitution demonstrate substantial Western-judicial-system follow-through on cybercrime prosecutions when operators are arrested outside Russia. Vasinskyi's location in Ukraine (rather than Russia proper) at time of arrest enabled the extradition that has not been possible for Khoroshev (LockBit), Yakubets (Evil Corp), Polyanin (REvil co-conspirator), and other Russia-based cluster operators. Third, the FSB January 2022 arrests represent the only major Russian-government public counter-cybercrime action against Russia-based cybercrime operators targeting Western victims in the publicly-tracked record. The operational-doctrine implications for ongoing counter-cybercrime policy are substantial, the pattern demonstrates that Russian-government counter-cybercrime action is capability-feasible when political conditions support such action, but politically-unavailable during periods of US-Russia diplomatic non-cooperation (which has been the sustained condition since February 24, 2022). Whether Western policy can re-create conditions enabling future Russian- government counter-cybercrime cooperation is one of the central open analytical questions for ongoing counter-ransomware policy. Fourth, the cluster's MSP-targeting tradecraft (most operationally consequential in the Kaseya VSA attack) was operationally pioneering at time of execution and has subsequently been replicated and extended by Cl0p's mass-zero-day-exploitation against managed-file-transfer software (MOVEit Transfer 2023, GoAnywhere MFT 2023, Accellion FTA 2020), Royal / BlackSuit's CDK Global automotive-dealer-IT-supply-chain compromise (June 2024), and broader supply-chain ransomware operations across the contemporary ecosystem. Defender threat-modeling for ransomware operations should treat supply-chain operations as meaningful threat category.

Aliases

22
revilrevil ransomwarerevil_ransomwarerevilransomwaresodinokibisodinokibi ransomwaresodinokibi_ransomwaresodinokibiransomwaresodinsodin ransomwaresodin_ransomwarepinchy spiderpinchy_spiderpinchyspidergandcrab successorgandcrab_successorhappy blog leak sitehappy_blog_leak_sitehappyblogg0124atk 218atk218

MITRE ATT&CK aliases

1
Additional names MITRE lists for G0115.
GOLD SOUTHFIELD

Notable Campaigns

10
2022Russian FSB Arrests of Fourteen REvil Members (January 14, 2022)
2022Brief Operational Resumption Attempted (April-May 2022)
2021JBS Foods Attack (May 30 - June 2021)
2021Kaseya VSA Supply-Chain Attack (July 2-4, 2021), Most Operationally Consequential Cluster Operation
2021REvil October 2021 Disappearance and FBI Disruption Activity
2021US DOJ Indictments of Vasinskyi and Polyanin (November 8, 2021)
2020Grubman Shire Meiselas & Sacks Attack (May 2020)
2019-2020Travelex Attack (December 31, 2019 - January 2020)
2019REvil / Sodinokibi Emergence (April 2019)
2018-2019GandCrab Predecessor Operations (January 2018 - May 2019)

Attribution & Reporting

Attributed by
US Department of JusticeFBI Cyber DivisionUS Treasury OFACCISA (US Cybersecurity and Infrastructure Security Agency)Russian Federal Security Service (FSB)Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT)Ukrainian National PoliceMandiant / FireEyeCrowdStrikeMicrosoft Threat Intelligence CenterRecorded Future Insikt GroupSentinelOneSophosTrend MicroKaspersky GReATGroup-IBPRODAFTCovewareCybereasonIBM X-ForceTrustwave SpiderLabsPalo Alto Networks Unit 42Symantec (Broadcom)Cisco TalosBitdefenderBrian Krebs (independent investigative reporting)
Key reporting
reportUS DOJ: Ukrainian Arrested and Charged with Ransomware Attack on Kaseya (November 8, 2021), Vasinskyi indictment
reportUS DOJ: Sodinokibi Ransomware Administrators Charged with Cyberattacks (November 8, 2021), Polyanin indictment
reportUS DOJ: Sodinokibi REvil Ransomware Defendant Sentenced (May 1, 2024), Vasinskyi 13y7mo sentence
reportUS Treasury OFAC: Sanctions on Polyanin and Virtual Currency Exchange Chatex (November 8, 2021)
reportRussian FSB: Arrests of Fourteen REvil Members (January 14, 2022), operationally unusual Russian counter-cybercrime action
reportCrowdStrike: Sodinokibi Ransomware Pinchy Spider Adversary Profile (multiple years)
reportMandiant: REvil / Sodinokibi Continued Tracking
reportMicrosoft Threat Intelligence: Sodinokibi REvil Ransomware (September 2021)
reportCisco Talos: Sodinokibi Ransomware Deep Dive
reportKaspersky GReAT: Sodin CVE-2018-8453 Operational Analysis
reportRecorded Future Insikt Group: REvil Ransomware Tracking (multiple years)
reportBitdefender: REvil Sodinokibi Operational Analysis
reportCoveware: REvil Ransomware Affiliate Tracking
reportGroup-IB: REvil Continued Tracking
reportPRODAFT: REvil Detailed Operational Analysis
reportSophos: REvil Continued Tracking
reportSentinelOne: REvil Ransomware Tracking
reportTrend Micro: REvil Ransomware Spotlight
reportIBM X-Force: REvil Continued Tracking
reportSymantec (Broadcom): REvil Ransomware Tracking
reportBrian Krebs (independent investigative reporting): REvil Coverage
reportMalpedia Actor Profile: REvil
reportMITRE ATT&CK Group G0124, REvil

Operational

State sponsor

REvil / Sodinokibi was a financially-motivated organized cyber- criminal cluster, not a state-aligned cluster, operating from Russia. The cluster operated from approximately April 2019 through October 2021, approximately thirty months of sustained operations, and was one of the most operationally prolific ransomware operations of the 2019-2021 period. The cluster is widely treated by vendor consensus as the operational successor to the earlier GandCrab ransomware operation (active 2018-2019, one of the earliest commercially-successful ransomware-as-a- service operations). GandCrab operators publicly announced retirement on May 31, 2019 claiming to have collected approximately two billion US dollars in ransom payments; REvil / Sodinokibi emerged in April 2019 with substantial technical similarity to GandCrab and modern vendor consensus treats the two as operationally-continuous cluster identities under different brand identities. The cluster has the strongest formal-attribution profile of any 2019-2021 ransomware operation grounded in multiple Western and Russian law-enforcement actions: November 8, 2021 US DOJ unsealing of indictment of Yaroslav Vasinskyi (Ukrainian national, born July 18, 1999, arrested at Polish-Ukrainian border October 8, 2021, subsequently extradited to US March 2022, pleaded guilty April 2024, sentenced May 2024 to thirteen years and seven months federal prison and ~$16 million USD restitution)

November 8, 2021 US DOJ indictment of Yevgeniy Polyanin (Russian national, sanctions-designated by US Treasury OFAC same date, remains in Russia)

January 14, 2022 Russian Federal Security Service (FSB) announced arrest of fourteen REvil members in Moscow, St. Petersburg, and Leningrad following an unusual Russian-government public counter-cybercrime action (the FSB arrests were operationally consequential because Russian authorities historically have not pursued cybercrime operators targeting Western victims, the REvil FSB arrests represented a temporary departure from that pattern apparently motivated by US-Russia diplomatic engagement on the Kaseya attack)

two Romanian REvil affiliates arrested in November 2021. The cluster's most operationally consequential single operation was the July 2-4, 2021 Kaseya VSA supply-chain attack affecting approximately 1,500+ downstream organizations globally via compromise of Kaseya VSA remote monitoring and management software, one of the most operationally consequential supply-chain ransomware operations in the publicly-tracked record. The cluster effectively terminated operations in October 2021 following FBI disruption activity and operator-initiated infrastructure shutdown.

brief operational resumption attempted in April-May 2022 did not sustain.

Motivations
financial_gain, financially_motivated, cybercrime, ransomware_deployment, extortion, double_extortion, ransomware_as_a_service_operations, supply_chain_ransomware_operations, high_value_target_selection
Sectors
manufacturingheavy_industryautomotiveaerospacedefense_industrial_basefood_manufacturing_and_processingmeat_processingfinancial_servicesbankinginsurancehealthcarehospitalshigher_educationschoolsgovernmentstate_local_governmentfederal_government_contractorsretailhospitalityfood_servicetransportationlogisticsenergyoil_and_gasutilitieslaw_firmsprofessional_servicesconsulting_firmsit_service_providersmanaged_service_providerssoftware_companiestechnologytelecommunicationsmediaentertainment_industryreal_estateconstructionnon_governmental_organizationscritical_infrastructure
Regions
united_statescanadaunited_kingdomgermanyfranceitalyspainnetherlandsbelgiumswedenaustralianew_zealandjapanindiabrazilmexicoargentinasouth_koreataiwanglobal_predominantly_western

Techniques Used

60
T1003T1003.001T1003.005T1005T1016T1018T1027T1027.002T1027.005T1033T1036T1036.004T1036.005T1039T1041T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1070T1070.001T1070.004T1071T1071.001T1074T1074.001T1078T1078.002T1078.003T1078.004T1082T1083T1087T1087.001T1087.002T1090T1090.002T1095T1098T1105T1112T1119T1132T1132.001T1133T1135T1140T1189T1190T1195T1195.001T1195.002T1199T1203T1204

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)30/60 · 50%
Runtime / container (Falco)9/60 · 15%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)16/60 · 26%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

2 mapped
S0002 · MimikatzS0111 · schtasks
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERMSHTAMSP TARGETING TRADECRAFTSHARPHOUNDSODIN RANSOMWARESODINOKIBI RANSOMWARE

CVEs Exploited

12
CVECVE-2018-13379
CVECVE-2018-8453
CVECVE-2019-11510
CVECVE-2019-19781
CVECVE-2019-2725
CVECVE-2020-0796
CVECVE-2020-1472
CVECVE-2021-21972
CVECVE-2021-22893
CVECVE-2021-30116
CVECVE-2021-30119
CVECVE-2021-30120
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin