{
	"id": "f4a7b289-a893-4477-af10-ca26a31b1f3a",
	"created_at": "2026-04-06T03:36:10.143655Z",
	"updated_at": "2026-04-10T13:11:55.20208Z",
	"deleted_at": null,
	"sha1_hash": "21231e2a621282bb9c7050a98f28e62786b342b3",
	"title": "REvil ransomware - what you need to know | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59804,
	"plain_text": "REvil ransomware - what you need to know | Tripwire\r\nBy Graham Cluley\r\nPublished: 2021-04-22 · Archived: 2026-04-06 03:19:53 UTC\r\nWhat is REvil?\r\nREvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April\r\n2019, following the demise of another ransomware gang GandCrab.\r\nThe REvil group is also known sometimes by other names such as Sodin and Sodinokibi.\r\nThere’s been plenty of ransomware before. What makes REvil so special?\r\nREvil has gained a reputation for attempting to extort far larger payments from its corporate victims than that\r\ntypically seen in other attacks. It is actively promoted underground cybercrime forums as the best choice for\r\nattacking business networks where there is more money to be made than infecting the computers of home users.\r\nAside from the many high profile companies and organisations who have fallen foul of REvil, it is stealing data\r\nfrom the computers and networks of its victims before they are encrypted. This is a technique of applying\r\nadditional pressure on victims which is becoming more and more commonplace.\r\nREvil threatens to release stolen data, by auctioning it off on its website (anachronistically called the \"Happy\r\nBlog\") if ransom demands are not met.\r\nThe \"Happy Blog\" lists recent victims of REvil, attaching a sample of the stolen data as proof that information has\r\nbeen exfiltrated from an organisation. The REvil gang even offers a \"trial\" decryption to prove to the victim that\r\ntheir files can be decrypted.\r\nA countdown timer indicates when data leaks will be made public, applying more pressure to companies debating\r\nhow they should respond.\r\nHello - some of your files containing confidential information have been downloaded and are located\r\non our servers. If you refuse to negotiate with us, all documents will be published on the blog and\r\npublished by the media. If an agreement is reached, the data will be permanently deleted. We advise\r\nyou to quickly contact us through the support chat.\r\nNasty. So simply restoring from a backup..?\r\n…is not going to be enough. Yes, restoring your data from a secure, clean backup can help a company get back up\r\nand running again (if the backup hasn’t itself been compromised, of course), but criminals still have a copy of\r\nyour company’s data.\r\nhttps://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/\r\nPage 1 of 3\n\nEven if they are unsuccessful in selling your data to others in cybercrime forums, incalculable damage can be\r\ndone to an organisation's brand and business relationships.\r\nYou said that REvil was Ransomware-as-a-service. What's that?\r\nAs online crime became more sophisticated, some malicious actors recognised that rather than spending all their\r\ntime launching their own attacks they could actually lease out their expertise and infrastructure to other criminals -\r\ngiving even those without technical ability a means to profit from ransomware.\r\nLike software-as-a-service (SAAS)?\r\nPrecisely. Ransomware gangs have been known to offer 24/7 technical support, subscriptions, affiliate schemes,\r\nand online forums just like legitimate online companies. They know that offering a quality service to their\r\n(admittedly) criminally-minded clients will help both sides of the venture to become rich at the victim's expense.\r\nBut if an attacker is paying for a ransomware service from another criminal, can't they be\r\ntracked and identified?\r\nPayments are typically made through cryptocurrency, keeping transactions anonymous.\r\nOf course. How much money is the REvil enterprise making?\r\nIt's hard to be certain because it's not as though they're filing their accounts, but when interviewed the group's\r\ndevelopers have claimed to be making more than US $100 million per year.\r\nThe developers of REvil are thought to pocket between 20-30% of the money extorted from victims of their\r\nransomware, with the affiliate who ran the operation with the assistance of REvil's expertise and infrastructure\r\nreceiving the rest.\r\nHow does the REvil ransomware infect an organisation in the first place?\r\nThere are a variety of methods an attacker could use to plant the malware. These include exploiting a vulnerability\r\nto gain access to a computer on your company's network, spear-phishing, or exploiting a third-party business\r\npartner.\r\nIn some cases, the attack may actually come from a client or partner who has already fallen victim to the hackers.\r\nSo what should my company be doing to protect ourselves from the REvil ransomware?\r\nIt's the same advice as with other ransomware.\r\nYou should still be making secure offsite backups. You should still be running up-to-date security solutions and\r\nensuring that your computers are protected with the latest patches against newly-discovered vulnerabilities. You\r\nshould still be using hard-to-crack, unique passwords to protect sensitive data and accounts as well as enabling\r\nmulti-factor authentication. You should still be encrypting your sensitive data wherever possible. You should still\r\nhttps://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/\r\nPage 2 of 3\n\nbe educating and informing staff about risks and the methods used by cybercriminals to electronically infiltrate\r\norganizations.\r\nIf my company has been unlucky enough to have been hit by the REvil ransomware, should we\r\npay the ransom?\r\nThat ultimately is a decision that only you can make. Bear in mind that the more companies that pay a ransom, the\r\nmore likely it is that criminals will launch similar attacks in the future.\r\nAt the same time, you may feel that your business needs to make the difficult but pragmatic decision to pay the\r\ncriminals if you feel your company cannot survive any other way.\r\nWhatever your decision, you should inform law enforcement agencies of the incident and work with them to help\r\nthem investigate who might be behind the attacks.\r\nAnd remember this: paying the ransom does not necessarily mean you have erased the security problems that\r\nallowed you to be infected in the first place. If you don’t find out what went wrong and why and fix it, then you\r\ncould easily fall victim to further cybercrime attacks in the future.\r\nEditor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not\r\nnecessarily reflect those of Tripwire, Inc.\r\nSource: https://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/\r\nhttps://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/"
	],
	"report_names": [
		"revil-ransomware-what-you-need-to-know"
	],
	"threat_actors": [],
	"ts_created_at": 1775446570,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21231e2a621282bb9c7050a98f28e62786b342b3.pdf",
		"text": "https://archive.orkl.eu/21231e2a621282bb9c7050a98f28e62786b342b3.txt",
		"img": "https://archive.orkl.eu/21231e2a621282bb9c7050a98f28e62786b342b3.jpg"
	}
}