{
	"id": "58f0e42e-d451-4bf0-b670-dbbc63b67bc9",
	"created_at": "2026-04-06T00:21:00.150271Z",
	"updated_at": "2026-04-10T03:23:51.457515Z",
	"deleted_at": null,
	"sha1_hash": "9b986354641957b48e0aec320e2bb2ecc7b2f504",
	"title": "REvil Revealed: Tracking a Ransomware Negotiation and Payment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2524541,
	"plain_text": "REvil Revealed: Tracking a Ransomware Negotiation and Payment\r\nBy Elliptic Intel\r\nArchived: 2026-04-05 19:10:26 UTC\r\nWhat actually happens during a ransomware attack? We follow a real case involving the REvil ransomware\r\n- from initial infection and negotiation, through to the cryptocurrency payment and laundering of the\r\nfunds.\r\nThe scale and severity of ransomware attacks continue to grow. Cybercriminal groups such as DarkSide have\r\nreceived hundreds of millions of dollars in cryptocurrency ransom payments, having crippled critical\r\ninfrastructure providers such as Colonial Pipeline. In early July, hundreds of businesses were infected with REvil\r\nransomware (also known as Sodinokibi), through an attack on Kaseya - a provider of IT management software to\r\nthose victims. \r\nAt Elliptic, we monitor and investigate ransomware groups in order to collect information on the cryptocurrency\r\nwallets they use to receive ransoms. These insights are then made available in our software, enabling law\r\nenforcement to follow the money and potentially freeze the funds or identify the individuals behind the attacks.\r\nCryptocurrency exchanges and financial institutions use our software to screen customer deposits for links to these\r\nwallets, and ensure that the ransomware groups cannot cash-out their proceeds.\r\nThis research gives us unique insights into the entire lifecycle of a ransomware attack - from the initial malware\r\ninfection and ransom demand, through the negotiation and payment process, and finally the laundering of the\r\nfunds. In this article we follow one specific attack by the Russia-linked REvil ransomware group, which took\r\nplace within the past few weeks. Some images have been edited to protect the identity of the victim.\r\n1. The victim is infected with the REvil malware\r\nOnce the REvil malware has made its way onto the computer system, it encrypts the victim’s files - leaving behind\r\na text file containing the ransom note, shown below:\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 1 of 9\n\nThe note directs the victim to a website (the “victim portal”) on Tor (an anonymous version of the internet often\r\nused to host darknet markets), to access further instructions.\r\n2. Accessing the victim portal\r\nThe victim portal displays the ransom demand - $50,000 in Monero, a privacy-focused cryptocurrency that is very\r\ndifficult to trace. If the ransom is not paid within a certain timeframe, the ransom will be doubled to $100,000.\r\nThe portal provides instructions on where the Monero can be purchased, and where exactly it should be sent:\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 2 of 9\n\n3. Chat support\r\nSimilar to an e-commerce site, the portal allows the victim to speak directly to REvil, through the “Chat Support”\r\ntab. Here we see the victim (blue) initiate a conversation with REvil (green) and begin to negotiate the ransom\r\ndown:\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 3 of 9\n\n4. Verifying that paying a ransom will lead to decryption\r\nThe victim then asks for proof that paying the ransom will work - i.e. that their files will be decrypted. They\r\nupload two of their encrypted files, and REvil responds with the proof - the  decrypted files:\r\n5. Requesting payment in Bitcoin instead of Monero\r\nMany ransomware victims find it difficult to obtain the Monero required to pay a ransom (not many exchanges list\r\nit, especially in the US), or do not want to pay in Monero due to concerns about violating sanctions. Most of the\r\nransomware response companies that negotiate and pay on behalf of victims simply refuse to pay Monero\r\nransoms.\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 4 of 9\n\nIn this case the victim has requested to pay in Bitcoin instead and REvil has allowed it, albeit with a 10%\r\nsurcharge. This higher amount reflects the increased risk faced by REvil when accepting Bitcoin payments, due to\r\nits traceability. The portal updates to show a Bitcoin payment address:\r\n6. Negotiating the ransom amount\r\nHaving already negotiated a 20% discount on the original $50,000 ransom demand, the victim goes further -\r\noffering just $10,000. They claim that this is all they can pay at such short notice, but the offer is rejected by\r\nREvil. The victim then says that they may be able to borrow some extra money, and they eventually agree on a\r\nransom payment of $25,000.\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 5 of 9\n\n7. Sending the Bitcoin ransom payment\r\nThe address that the bitcoin ransom should be sent to is displayed at the top of the portal, but the victim asks\r\nREvil to confirm that it is correct. Cryptocurrency payments are irreversible, so it is important to verify the\r\ndestination address before making a transaction.\r\nThe victim sends the $25,000 in Bitcoin, and REvil confirms that they have received it:\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 6 of 9\n\n8. The decryption tool is provided\r\nOnce the ransom is paid, the victim portal updates to provide access to the decryptor. (Of course in general there is\r\nno guarantee that such a tool will be provided.)\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 7 of 9\n\nFor the victim, the process is now complete. They can use the decryptor tool to regain access to their files and\r\nresume operations.\r\n9. The Bitcoin is laundered\r\nFor REvil the next step is to launder and cash-out the Bitcoin ransom payment. The image below is from our\r\ncryptocurrency investigations software, Elliptic Forensics, showing the destination of the Bitcoin ransom paid by\r\nthis specific victim. Most exchanges that allow Bitcoin to be converted into traditional currency make use of\r\nElliptic’s tools in order to trace customer deposits and ensure that they are not connected to illicit activity such as\r\nthis. \r\nREvil must therefore attempt to launder the funds and break the transaction trail. They attempt this by “layering”\r\nthe funds - splitting them and passing them through many different wallets, and by mixing them with bitcoins\r\nfrom other sources. This laundering process in this case is still ongoing, but nevertheless we can already trace\r\nsome of the funds to exchanges. Those exchanges will have information on the identities of people whose\r\naccounts received the funds - providing strong leads for law enforcement.\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 8 of 9\n\nThe victim in this case appears to have been a small business rather than a large corporation - reflected in the\r\nrelatively small ransom demanded. Small businesses make up 50-75% of all ransomware victims, and the  impact\r\non these attacks can be catastrophic.\r\nAt Elliptic we believe that ransomware can be combated by limiting the degree to which the criminals responsible\r\ncan profit from their crimes. By mapping and understanding the cryptocurrency flows from ransomware wallets,\r\nwe can aid law enforcement and financial institutions to identify the perpetrators and freeze their funds.\r\nJoin our upcoming webinar, on July 29: Tracking Ransomware with Blockchain Analytics, as we discuss how\r\nand why ransomware makes use of cryptocurrency, and showcase how it can be countered using blockchain\r\nanalytics - including ‘following the money’ from cybercriminal wallets.\r\nSource: https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nhttps://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment"
	],
	"report_names": [
		"revil-revealed-tracking-ransomware-negotiation-and-payment"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b986354641957b48e0aec320e2bb2ecc7b2f504.pdf",
		"text": "https://archive.orkl.eu/9b986354641957b48e0aec320e2bb2ecc7b2f504.txt",
		"img": "https://archive.orkl.eu/9b986354641957b48e0aec320e2bb2ecc7b2f504.jpg"
	}
}