What is REvil?

REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab.

The REvil group is also known sometimes by other names such as Sodin and Sodinokibi.

There’s been plenty of ransomware before. What makes REvil so special?

REvil has gained a reputation for attempting to extort far larger payments from its corporate victims than that typically seen in other attacks. It is actively promoted underground cybercrime forums as the best choice for attacking business networks where there is more money to be made than infecting the computers of home users.

Aside from the many high profile companies and organisations who have fallen foul of REvil, it is stealing data from the computers and networks of its victims before they are encrypted. This is a technique of applying additional pressure on victims which is becoming more and more commonplace.

REvil threatens to release stolen data, by auctioning it off on its website (anachronistically called the “Happy Blog”) if ransom demands are not met.

Happy Blog REvil Auction

The “Happy Blog” lists recent victims of REvil, attaching a sample of the stolen data as proof that information has been exfiltrated from an organisation. The REvil gang even offers a “trial” decryption to prove to the victim that their files can be decrypted.

A countdown timer indicates when data leaks will be made public, applying more pressure to companies debating how they should respond.

Hello – some of your files containing confidential information have been downloaded and are located on our servers. If you refuse to negotiate with us, all documents will be published on the blog and published by the media. If an agreement is reached, the data will be permanently deleted. We advise you to quickly contact us through (Read more...)