Full Report
Community Feature - @BushidoTokenCurated Intelligence co-founder Will T recently sat down with Jack Rhysider from Darknet Diaries to discuss how the REvil ransomware group changed the game forever. Ever since the group appeared in early 2019 and disappeared after the Kaseya hack, it gained the attention of the world with daring financially motivated cyberattacks.https://darknetdiaries.com/episode/126/Will shared a blog on the Evolution of REvil in July 2021, shortly after the core REvil group exited the scene. In November 2021, several REvil affiliates were arrested across Europe in Poland and Romania. Members of REvil being subsequently arrested by the Russian FSB on 14 January 2022 and announced in a press release.Where is REvil now?Interestingly, some REvil activity continued to be reported by researchers after the arrests. ReversingLabs reported additional implants, suggesting something was still causing the ransomware to spread.The REvil samples continuing to appear was seemingly due to the ransomware binary being co-opted into other campaigns, such as LV ransomware and the RansomCartel. Recorded Future analysts also said they believe the ALPHV (BlackCat) ransomware author was previously involved with the infamous REvil ransomware organization in some sort of capacity.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Threat Actor: REvil Ransomware Group
## Attribution & Identity
The threat actor is the **REvil** ransomware group, also known as **Sodinokibi**. The article discusses the group's history and subsequent disruptions, including arrests of affiliates and core members. There is a noted belief that the author of the **ALPHV (BlackCat)** ransomware was previously involved with REvil.
## Activity Summary
REvil gained significant attention starting in **early 2019** for conducting daring, financially motivated cyberattacks. A major highly visible operation mentioned is the **Kaseya hack**, which occurred just before the group seemingly exited the scene. Following the initial disruption, some REvil activity continued, as other campaigns co-opted the REvil binary (e.g., LV ransomware and RansomCartel). Arrests targeting affiliates occurred in Europe (Poland and Romania) in November 2021, and the Russian FSB announced further arrests of core group members on January 14, 2022.
## Tactics, Techniques & Procedures
The article focuses on the *consequence* of their operational success (impact and evolution) rather than listing specific technical TTPs (e.g., exploitation methods or defense evasion).
- Primary Tactic: Ransomware deployment leading to financially motivated attacks.
- Observed Phenomenon: Its ransomware binary was co-opted into subsequent campaigns (LV ransomware, RansomCartel).
- MITRE ATT&CK IDs: Not specified in the source material.
## Targeting
- Sectors: Financially motivated cyberattacks are implied across various sectors. The Kaseya attack implies targeting managed service providers (MSPs) as a supply chain vector.
- Geography: Affiliates were arrested across Europe (Poland, Romania). Arrests of core members were announced by the Russian FSB.
- Victims: Specific victims are not named, but operations targeted organizations capable of high-value ransoms.
## Tools & Infrastructure
- Malware families used: **REvil Ransomware** (also known as Sodinokibi). Note that the binary has been observed being used by subsequent campaigns referenced, such as **LV ransomware** and **RansomCartel**.
- Infrastructure (C2, domains, IPs): No specific URLs or IP addresses are provided or defanged in the source text.
## Implications
REvil significantly "changed the game" in the ransomware landscape, forcing high-level global law enforcement attention, leading to significant international arrests, and setting a precedent for highly disruptive financially motivated attacks. Their legacy continues as their code appears in use by other ransomware strains even after the core group was believed to be dismantled.
## Mitigations
The article does not provide specific defense recommendations but implies the need for network defense resilience given the severity of attacks like the Kaseya incident, strong supply chain security, and response preparation for ransomware events.