{
	"id": "e094abef-ec5b-4d88-88c8-02288980e1c3",
	"created_at": "2026-04-06T00:07:01.924993Z",
	"updated_at": "2026-04-10T13:11:29.862983Z",
	"deleted_at": null,
	"sha1_hash": "73ed8e52b0cae9eb5436709b7de9b39b47a86662",
	"title": "REvil ransomware gang claims over $100 million profit in a year",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1508754,
	"plain_text": "REvil ransomware gang claims over $100 million profit in a year\r\nBy Ionut Ilascu\r\nPublished: 2020-10-29 · Archived: 2026-04-05 13:38:00 UTC\r\nREvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across\r\nthe world from various sectors.\r\nThey are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in\r\ntheir pursuit of wealth.\r\nAffiliates do the heavy lifting\r\nA REvil representative that uses the aliases “UNKN” and “Unknown” on cybercriminal forums talked to tech blog Russian\r\nOSINT offering some details about the group’s activity and hints of what they have in store for the future.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nLike almost all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this model,\r\ndevelopers supply file-encrypting malware to affiliates, who earn the lion’s share from the money extorted from victims.\r\nWith REvil, the developers take 20-30% and the rest of the paid ransom goes to affiliates, who run the attacks, steal data,\r\nand detonate the ransomware on corporate networks.\r\n“Most work is done by distributors and ransomware is just a tool, so they think that’s a fair split,” REvil representative,\r\nUnknown, told Russian OSINT.\r\nThis means that the developers set the ransom amount, run the negotiations, and collect the money that is later split with\r\naffiliates.\r\nLong list of victims\r\nThe cybercriminal operation has encrypted computers at big-name companies, among them Travelex, Grubman Shire\r\nMeiselas \u0026 Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany\r\nInternational Airport, Kenneth Cole, and GEDIA Automotive Group.\r\nUnknown says that REvil affiliates were able to breach the networks of Travelex and GSMLaw in just three minutes by\r\nexploiting a vulnerability in Pulse Secure VPN left unpatched for months after the fix became available [1, 2].\r\nREvil’s public-facing representative says that the syndicate has hit the network of a “major gaming company” and will soon\r\nannounce the attack.\r\nThey also say that REvil was responsible for the attack in September against Chile’s public bank, BancoEstado. The incident\r\nprompted the bank to close all its branches for a day but did not affect online banking, apps, and ATMs.\r\nAlong with managed services providers (MSPs) that have access to networks of multiple organizations, the most profitable\r\ntargets for REvil are companies in the insurance, legal, and agriculture sectors\r\nAs for initial access, Unknown mentioned brute-force attacks as well as remote desktop protocol (RDP) combined with new\r\nvulnerabilities.\r\nOne example are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 bugs and known as BlueGate. These allow\r\nremote code execution on systems running Windows Server (2012, 2012 R2, 2016, and 2019).\r\nNew money-making avenues\r\nREvil initially made its profit from victims paying the ransom to unlock encrypted files. Since the attackers also locked\r\nbackup servers, victims had few options to recover, and paying was the quickest way.\r\nThe ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and\r\nstarted to threaten victims with damaging leaks that could have a much worse impact on the company.\r\nEven if it takes longer and causes a significant setback, large businesses can recover encrypted files from offline backups.\r\nHaving sensitive data in the public space or sold to interested parties, though, can be synonymous with losing the\r\ncompetitive advantage and reputation damage that is difficult to rebuild.\r\nThis method proved to be so lucrative that REvil now makes more money from not publishing stolen data than from\r\ndecryption ransom.\r\nUnknown says that one in three victims are currently willing to pay the ransom to prevent the leaking of company data. This\r\ncould be the next step in the ransomware business.\r\nREvil is also thinking to adopt another tactic designed to increase their odds of getting paid: hitting the victim with\r\ndistributed denial-of-service (DDoS) attacks to force them to at least (re)start negotiating a payment.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nPage 3 of 5\n\nSunCrypt ransomware used this tactic recently on a company that had stopped negotiations. The attackers made it clear that\r\nthey launched the DDoS attack and terminated it when negotiations resumed. REvil plans to implement this idea.\r\nREvil’s model for making money is working and the gang already has plenty in their coffers. In their search for new\r\naffiliates, they deposited $1 million in bitcoins on a Russian-speaking forum.\r\nThe move was designed to show that their operation generates plenty of profit. According to Unknown, this step is to recruit\r\nnew blood to distribute the malware, as the ransomware scene is full to the brim with professional cybercriminals.\r\nAlthough they have truckloads of money, REvil developers are confined to the borders of the Commonwealth of\r\nIndependent States (CIS, countries in the former Soviet Union) region.\r\nA reason for this is attacking a large number of high-profile victims that prompted investigations from law enforcement\r\nagencies from all over the world. As such, traveling is a risk REvil developers are not willing to take.\r\nREvil built on older code\r\nThis ransomware syndicate is also referred to as Sodin or Sodinokibi but the name REvil is inspired by the Resident Evil\r\nmovie and stands for Ransomware Evil.\r\nTheir malware was first spotted in April 2019 and the group started looking for skilled hackers (elite penetration testers)\r\nshortly after GandCrab ransomware closed shop.\r\nUnknown says that the group did not create the file-encrypting malware from scratch but bought the source code and\r\ndeveloped on top of it to make it more effective.\r\nIt uses elliptic curve cryptography (ECC) that has a smaller key size than the RSA-based public-key system, with no\r\ncompromise on security. Unknown says that this is one reason affiliates choose REvil over other RaaS operations like Maze\r\nor LockBit.\r\nBefore shutting their business, GandCrab developers said they made $150 million, while the entire operation collected more\r\nthan $2 billion in ransom payments.\r\nClearly, REvil developer’s ambitions are greater.\r\nBleepingComputer was told that Unknown confirmed that the interview (in Russian) was real.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nPage 4 of 5\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/"
	],
	"report_names": [
		"revil-ransomware-gang-claims-over-100-million-profit-in-a-year"
	],
	"threat_actors": [],
	"ts_created_at": 1775434021,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73ed8e52b0cae9eb5436709b7de9b39b47a86662.pdf",
		"text": "https://archive.orkl.eu/73ed8e52b0cae9eb5436709b7de9b39b47a86662.txt",
		"img": "https://archive.orkl.eu/73ed8e52b0cae9eb5436709b7de9b39b47a86662.jpg"
	}
}