// Threat Intelligence Profile

REvil / Sodinokibi

Successor to GandCrab. Active 2019–2022 and responsible for some of the largest and most disruptive ransomware incidents in history. Analysis based on 20 negotiation transcripts.

Operational Overview

REvil (also known as Sodinokibi) emerged in April 2019 as the successor to GandCrab, one of the first successful ransomware-as-a-service operations. REvil's operators inherited significant technical expertise and criminal infrastructure from GandCrab, and rapidly established REvil as one of the most capable and financially successful ransomware operations of the 2019–2022 period.

REvil operated a selective RaaS model, carefully vetting affiliates through an application process and maintaining a smaller, higher-quality affiliate base compared to more open platforms. The group's "Happy Blog" leak site published victim data and served as a key pressure mechanism. REvil pioneered several tactics that subsequently became standard practice across the ransomware ecosystem, including double extortion (simultaneous encryption and data theft), auctioning victim data to competitors, and DDoS attacks against victim networks as additional pressure.

The group went dark in July 2021 following the Kaseya attack and resulting US government pressure. It briefly re-emerged in September 2021 but shut down permanently in January 2022 following coordinated law enforcement action by the US, Russia, Ukraine, and other countries. Russian authorities arrested several REvil members in January 2022 at the request of the US government — a historically unusual instance of Russian law enforcement action against domestic cybercriminals.

Initial Access & Entry Vectors

REvil's primary initial access vectors evolved throughout its operational period:

  • Exploit kits and malvertising: In its early phase (2019–2020), REvil relied heavily on exploit kits including RIG and GrandSoft to deliver payloads via compromised websites.
  • Phishing and credential theft: Spear-phishing campaigns delivering malicious attachments, often using IcedID or other loader malware as intermediaries.
  • RDP exploitation: Brute-forcing or purchasing compromised RDP credentials from underground markets.
  • Supply chain attacks: The Kaseya attack in July 2021 demonstrated REvil's capability and willingness to conduct sophisticated supply chain compromises, exploiting a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA to push ransomware through managed service providers to their clients simultaneously.
  • Managed service provider compromise: REvil frequently targeted MSPs to amplify their reach, encrypting multiple downstream clients from a single MSP compromise.

Technical Characteristics

REvil's encryptor was written in C and was technically sophisticated. Key characteristics:

  • Salsa20 encryption: File content was encrypted using Salsa20, with keys protected using Elliptic Curve Diffie-Hellman (ECDH) key exchange — a technically robust cryptographic implementation.
  • Configurable targeting: The REvil binary was highly configurable, allowing affiliates to specify target file extensions, directories to skip, network shares to target, and whether to encrypt files on network-attached storage.
  • Safeboot mode abuse: REvil used a technique of rebooting systems into Windows Safe Mode with Networking before encrypting, bypassing many endpoint detection products that do not run in Safe Mode.
  • Wallpaper replacement and ransom note deployment: Post-encryption actions included desktop wallpaper changes and deployment of named ransom notes based on victim identifiers.
  • Affiliate tracking: Each REvil sample contained an embedded affiliate identifier, allowing the core team to track which affiliate generated which payment and calculate commission splits automatically.

Negotiation Patterns & Demand Analysis

REvil was known for some of the highest initial ransom demands in the industry. The group operated a tiered payment structure through their Tor-based victim portal: a standard ransom for the decryptor, and a "delete data" fee to prevent publication on their Happy Blog leak site. These were sometimes priced separately, creating additional negotiation complexity.

Initial demands in our 20-transcript archive ranged from $500,000 to $70 million (the Kaseya demand was $70M for a universal decryptor). REvil's negotiators were known for maintaining high demands and resisting significant reductions, though the data shows reductions of 40–60% were achievable in many cases, particularly for smaller victims who could demonstrate inability to pay.

Key negotiation characteristics observed across our transcript data:

  • Strong initial anchoring at high demand levels
  • Clear deadline pressure with countdown timers and published price-doubling schedules
  • Willingness to provide sample decryption as proof of capability
  • Sophisticated awareness of victim cyber insurance coverage, sometimes demanding amounts calibrated to policy limits
  • Demands for victims to obtain cryptocurrency independently, with guidance on exchange use

Notable Incidents

  • Travelex (January 2020): The foreign exchange company was hit with a $6M demand. The attack brought down Travelex's online services globally for weeks during the peak holiday season.
  • JBS Foods (May 2021): The world's largest meat processing company paid $11M in bitcoin to REvil to prevent further disruption. The attack temporarily shut down operations in the US, Canada, and Australia.
  • Kaseya VSA (July 2021): REvil exploited a zero-day in Kaseya's remote management software to simultaneously encrypt networks of up to 1,500 businesses through their MSP providers. The $70M universal decryptor demand was unprecedented. The US government subsequently obtained the universal decryptor through law enforcement action.
  • Quanta Computer (April 2021): A $50M demand targeting Apple's manufacturing partner, with Apple schematics threatened for publication during an Apple product event.

Law Enforcement Action and Arrests

REvil faced significant law enforcement pressure following the Kaseya attack. In November 2021, the US Department of Justice unsealed charges against Yaroslav Vasinskyi (Ukrainian national, arrested in Poland) and Yevgeniy Polyanin (Russian national, charged in absentia) for their roles in REvil attacks. $6.1M in funds traceable to Polyanin were seized.

In January 2022, Russian authorities — acting on US government information sharing — arrested 14 alleged REvil members and seized approximately $6.5M in cash and cryptocurrency, multiple luxury vehicles, and computer equipment. This represented a historically unusual instance of Russian law enforcement action against its own cybercriminals.

View Negotiation Transcripts

All 20 REvil negotiation transcripts are available in our public archive, covering the group's 2019–2021 operational period.

Quick Reference

StatusDEFUNCT
Active PeriodApril 2019 – January 2022
Also Known AsSodinokibi
Transcripts20
Demand Range$500K – $70M
ModelSelective RaaS, Double Extortion
Successor ToGandCrab
ArrestsJan 2022 (Russia, Ukraine)

Key Negotiation Insights

ToneBusiness-like, high-pressure
Initial DemandsAmong highest in sector
NegotiabilityModerate (40–60% reductions seen)
Timeline PressureHigh (price-doubling deadlines)
Insurance AwarenessHigh — calibrated to policies

Related Resources

Facing a REvil-Linked Attack?

REvil's techniques and personnel influenced many successor groups. If you're responding to a high-demand ransomware incident, our team can provide expert negotiation and technical support.

Get Emergency Help

Need Help with a High-Demand Ransomware Incident?

REvil-style high initial demands require expert negotiation strategy. Our team has direct experience achieving significant reductions from extreme initial demands.

Contact Our Team
🚨 Active Incident? Contact Us Now