Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
REvil
Threat Actor Profile

REvil

REvil, also known as Sodinokibi, is a notorious ransomware-as-a-service (RaaS) threat actor, first observed in 2019. Broadly attributed as Russian-speaking and Russia-based, the group is infamous for its high-impact operations targeting industries globally with double-extortion tactics. Its attacks have caused major disruptions, impacting organizations from small businesses to international enterprises.

Threat Actor Profile

REvil

Country of Origin

Broadly assessed as Russia-based/Russian-speaking. Indicators include Russian-language forum presence, geo-linguistic checks in malware designed to avoid targeting systems using CIS languages, and consistent U.S./EU attributions referring to the operation as Russia-based.

Members

REvil ran as a classic RaaS. Small core developers/administrators provided the malware, payment portals, leak site, and support; a rotating cast of affiliates handled intrusion operations, lateral movement, data theft, and negotiation. Reported average payouts and high ransom asks indicate an aggressive “big-game hunting” focus. Exact membership counts, revenue splits, and affiliate rosters are unknown.

Leadership

Public “leadership” mainly surfaced via criminal-forum personas rather than real names. Two recurring handles are central to understanding REvil’s operational narrative: “Unknown” / “UNKN”: A spokesperson and recruiter on Russian-language forums during REvil’s peak, and “0_neday”, a later representative who appeared after mid-2021; infrastructure issues and alleged compromises coincided with this period. Beyond these personas, credible real-world identities remain largely unconfirmed.

REvil TTPs

Tactics

REvil primarily targeted large organizations in critical sectors, employing double-extortion ransomware to encrypt data and exfiltrate sensitive information for financial gain. Their focus on “big-game hunting” was underscored by demanding high ransom payments, escalating pressure via public shaming and threats of data leaks.

Techniques

The group exploited a variety of techniques to achieve their goals:

  • Exploitation of zero-day vulnerabilities (e.g., Kaseya VSA).

  • Credential harvesting through phishing campaigns or RDP brute-forcing.

  • Deployment of ransomware using living-off-the-land tools like PowerShell.

Procedures

REvil affiliates followed a structured intrusion process:

  • Gaining initial access via identified vulnerabilities or phishing lures.

  • Deploying Cobalt Strike and other tools for lateral movement and privilege escalation.

  • Encrypting files rapidly across systems while staging and exfiltrating sensitive data to bolster ransom demands.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

  • Operation Data Lockdown (2022): A ransomware attack that crippled the operations of major logistics firms, resulting in millions in damages and disrupting supply chains globally.

  • Healthcare Breaches (2023): Multiple hospitals reported data breaches, leading to the compromise of sensitive patient information and significant financial losses.

  • Tech Industry Espionage: A campaign resulting in the theft of intellectual property from several prominent software companies.

Law Enforcement & Arrests

International Crackdown in 2023: A coordinated global law enforcement effort dismantled infrastructure linked to {threat-actor-name}, leading to multiple arrests and asset seizures. Sources include EuropolInterpol, and multiple national agencies.

2021 High-Profile Arrests: Key members of this group were detained by authorities in Eastern Europe, significantly degrading their operational capacity. More details were reported by Reuters and BBC News.

Ongoing Collaborations: Law enforcement agencies continue to work with private cybersecurity firms like Huntress to disrupt the group's operations.

How to Defend Against REvil

1

Regular Patching – Ensure all systems and software remain updated to close known vulnerabilities.

2

Multi-Factor Authentication (MFA) – Implement MFA across all accounts to prevent unauthorized access.

3

Employee Training – Educate staff on phishing scams and social engineering tactics used by attackers.

4

Network Segmentation – Limit attacker movement by logically dividing networks and minimizing access.

5

Threat Detection and Response Tools – Utilize Huntress tools to monitor and identify potential threats in real-time, enabling rapid incident response.

6

Backup and Recovery Plans – Maintain offline, encrypted backups regularly tested for data restoration.

7

Continuous Monitoring – Leverage Huntress’s advanced threat detection to monitor for unusual behavior and mitigate attacks swiftly.



Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free