{
	"id": "c3f2d74e-6b6a-4a28-a023-0842949560de",
	"created_at": "2026-04-06T00:14:24.068827Z",
	"updated_at": "2026-04-10T03:23:51.652642Z",
	"deleted_at": null,
	"sha1_hash": "854df0a8d5479c99bc16bf17d68cddd624ffa26c",
	"title": "Threat Protection: The REvil Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1880331,
	"plain_text": "Threat Protection: The REvil Ransomware\r\nBy Ben Nahorney\r\nPublished: 2021-08-11 · Archived: 2026-04-05 22:54:58 UTC\r\nThe REvil ransomware family has been in the news due to its involvement in high-profile incidents, such as the\r\nJBS cyberattack and the Kaseya supply chain attack. Yet this threat carries a much more storied history, with\r\nvarying functionality from one campaign to the next.\r\nThe threat actors behind REvil attacks operate under a ransomware-as-a-service model. In this type of setup,\r\naffiliates work alongside the REvil developers, using a variety of methods to compromise networks and distribute\r\nthe ransomware. These affiliates then split the ransom with the threat actors who develop REvil.\r\nWe looked at REvil, also known as Sodinokibi or Sodin, earlier in the year in a Threat Trends blog on DNS\r\nSecurity. In it we talked about how REvil/Sodinokibi compromised far more endpoints than Ryuk, but had far less\r\nDNS communication. However, when revisiting these metrics, we noticed that this changed in the beginning of\r\n2021.\r\nFigure 1-DNS activity surrounding REvil/Sodinokibi.\r\nWhat’s interesting in revisiting this data over an 18-month span is that while the number of endpoints didn’t rise\r\ndramatically in 2021, comparing each month to the overall averages, the amount of DNS activity did. In fact, the\r\none noticeable drop in endpoints in December appears to coincide with the beginning of a dramatic rise in DNS\r\nactivity. (For information on the methodology behind this chart, please see the end of the Threat Trends blog.)\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 1 of 11\n\nWhat’s notable about the initial attacks is that on many occasions, zero-day vulnerabilities have been leveraged to\r\nspread REvil/Sodinokibi. In the most recent case, attackers exploited a zero-day vulnerability in the Kaseya VSA\r\nin order to distribute the ransomware. Previously the group exploited the Oracle WebLogic Server vulnerability\r\n(CVE-2019-2725) and a Windows privilege escalation vulnerability (CVE-2018-8453) in order to compromise\r\nnetworks and endpoints. There have been reports of other, well-known vulnerabilities being leveraged in\r\ncampaigns as well.\r\nIt’s worth noting that in the case of the campaign that leveraged the Kaseya VSA vulnerability, the threat actors\r\nbehind REvil disabled the command and control (C2) functionality, among other features, opting to rely on the\r\nKaseya software to deploy and manage the ransomware. This highlights how the malware is frequently tailored to\r\nthe circumstances, where different features are leveraged from one campaign to the next.\r\nSo given how functionality varies, what can REvil/Sodinokibi do on a computer to take control and hold it for\r\nransom? To answer this question, we’ve used Cisco Secure Malware Analytics to look at REvil/Sodinokibi\r\nsamples. The screenshots that follow showcase various behavioral indicators identified by Secure Malware\r\nAnalytics when it is executed within a virtualized Windows sandbox.\r\nWhile the features that follow aren’t present in every REvil/Sodinokibi sample, once it is successfully deployed\r\nand launched, the result is generally the same.\r\nFigure 2-A desktop that has been encrypted by REvil/Sodinokibi.\r\nWhat follows provides an overview of how the ransomware goes about locking down a computer to hold it for\r\nransom.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 2 of 11\n\nCreating a mutex\r\nOne of the first things that REvil/Sodinokibi does is create a mutex. This is a common occurrence with software.\r\nMutexes ensure only one copy of a piece of software can run at a time, avoiding problems that can lead to crashes.\r\nHowever, being a unique identifier for a program, mutexes can sometimes be used to identify malicious activity.\r\nFigure 3-REvil/Sodinokibi creating a mutex.\r\nOnce the mutex is created, the threat carries out a variety of activities. The functions that follow do not necessarily\r\nhappen in chronological order—or in one infection—but have been organized into related groupings.\r\nEstablishing persistence\r\nAs is the case with many threats, REvil/Sodinokibi attempts to embed itself into a computer so it will load when\r\nthe computer starts. This is often done by creating an “autorun” registry key, which Windows will launch when\r\nstarting up.\r\nThe creation of run keys, like mutexes, is a fairly common practice for software. However, REvil/Sodinokibi\r\nsometimes creates run keys that point to files in temporary folders. This sort of behavior is hardly ever done by\r\nlegitimate programs since files in temporary folders are meant to be just that—temporary.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 3 of 11\n\nFigure 4-REvil/Sodinokibi creating a run key for a temporary file.\r\nTerminating processes and services\r\nREvil/Sodinokibi not only establishes persistence, but it also disables and deletes keys associated with processes\r\nand services that may interfere with its operation. For example, the following two indicators show it attempting to\r\ndisable two Windows services: one involved in managing file signatures and certificates, and another that looks\r\nafter application compatibility.\r\nFigure 5-REvil/Sodinokibi disabling another service.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 4 of 11\n\nFigure 6-REvil/Sodinokibi deleting another service.\r\nIt’s worth noting that these two behavioral indicators carry a medium threat score. This is because there are\r\nlegitimate reasons that these activities might happen on a system. For example, processes and services might be\r\ndisabled by an administrator. However, in this case, REvil/Sodinokibi is clearly removing these processes so that\r\nthey don’t interfere with the operation of the malicious code.\r\nDeleting backups\r\nMany ransomware threats delete the backups residing on a system that they intend to encrypt. This stops the user\r\nfrom reverting files to previous versions after they’ve been encrypted, taking local file restoration off the table.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 5 of 11\n\nFigure 7-REvil/Sodinokibi deleting a shadow copy used in backups and restoration.\r\nDisabling Windows recovery tools\r\nThe command that REvil/Sodinokibi uses to delete backups also includes a secondary command that disables\r\naccess to recovery tools. These tools are available when rebooting a Windows computer, and disabling them\r\nfurther cripples a system, preventing it from easily being restored.\r\nFigure 8-REvil/Sodinokibi disabling recovery tools.\r\nFigure 9-REvil/Sodinokibi hiding the Windows recovery tools startup menu.\r\nChanging firewall rules\r\nREvil/Sodinokibi sometimes makes changes to the Windows Firewall. In this case, it turns on Network Discovery,\r\nwhich makes it easier to find other computers on the network and spread further.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 6 of 11\n\nFigure 10-REvil/Sodinokibi enabling Network Discovery.\r\nContacting the C2 server\r\nTo carry out various functions remotely, the threat actors behind REvil often need it to connect back to a C2\r\nserver. Each of the C2 servers listed below have been classified as high risk by Cisco Umbrella.\r\nFigure 11-Domains flagged as High Risk by Cisco Umbrella.\r\nWhen looking at these domains using Umbrella Investigate, we see that the domain is associated with\r\nREvil/Sodinokibi.\r\nFigure 12-Information in Cisco Umbrella Investigate about a REvil/Sodinokibi domain.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 7 of 11\n\nEncrypting files\r\nOnce most of the previous functions have been carried out, REvil/Sodinokibi will execute its coup de grâce:\r\nencrypting the files on the drive.\r\nFigure 13-REvil/Sodinokibi encrypting a drive.\r\nCreating ransom notes\r\nDuring this process, REvil/Sodinokibi creates additional files in the folders it encrypts. These files contain\r\ninformation about how to pay the ransom.\r\nFigure 14-REvil/Sodinokibi creating ransomware notes.\r\nChanging desktop wallpaper\r\nFinally, REvil/Sodinokibi changes the desktop wallpaper to draw attention to the fact that the system has been\r\ncompromised.\r\nFigure 15-REvil/Sodinokibi changing the desktop wallpaper.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 8 of 11\n\nThe new wallpaper includes a message pointing the user to the ransom file, which contains instructions on how to\r\nrecover the files on the computer.\r\nFigure 16-The ransom note created by REvil/Sodinokibi.\r\nSince the files have been successfully encrypted, the computer is now largely unusable. Each file has a file\r\nextension that matches what is mentioned in the ransom note (.37n76i in this case).\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 9 of 11\n\nFigure 17-Encrypted files on a compromised endpoint.\r\nDefense in the real world\r\nGiven the variation in behaviors during infection, running REvil/Sodinokibi samples inside Cisco Secure Malware\r\nAnalytics is a great way to understand how a particular version of the threat functions. However, when it comes to\r\nhaving security tools in place, it’s unlikely you’ll see this many alerts.\r\nFor example, when running Cisco Secure Endpoint, it’s more likely that the REvil/Sodinokibi executable would\r\nbe detected before it could do any damage.\r\nFigure 18-Detection of a REvil/Sodinokibi executable.\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 10 of 11\n\nFigure 19-Generic ransomware detection.\r\nProtecting against REvil/Sodinokibi and its ilk\r\nOn July 13th, the websites and infrastructure associated with the REvil threat actors disappeared from the Internet.\r\nWhether the threat will return remains to be seen.\r\nYet REvil/Sodinokibi is one of many families of ransomware, several of which have been just as active, if not\r\nmore so. Want to learn more about how ransomware works, as well as ways to protect yourself? Check out the\r\nCisco Secure Ransomware Defense page.\r\nAlso be sure to check out our Top Tips for Ransomware Defense for the latest on the machinations behind these\r\nthreats and further defensive strategies.\r\nFinally, if you’re looking to beef up your ransomware defense and want a simpler and more flexible buying\r\nexperience, check out our Cisco Secure Choice enterprise agreement.\r\nWe’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on\r\nsocial!\r\nCisco Secure Social Channels\r\nInstagram\r\nFacebook\r\nTwitter\r\nLinkedIn\r\nSource: https://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nhttps://blogs.cisco.com/security/threat-protection-the-revil-ransomware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blogs.cisco.com/security/threat-protection-the-revil-ransomware"
	],
	"report_names": [
		"threat-protection-the-revil-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434464,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/854df0a8d5479c99bc16bf17d68cddd624ffa26c.pdf",
		"text": "https://archive.orkl.eu/854df0a8d5479c99bc16bf17d68cddd624ffa26c.txt",
		"img": "https://archive.orkl.eu/854df0a8d5479c99bc16bf17d68cddd624ffa26c.jpg"
	}
}