{
	"id": "73e22dc2-b82c-40f0-877e-e5a099160d2f",
	"created_at": "2026-04-06T00:10:58.033988Z",
	"updated_at": "2026-04-10T03:21:55.370682Z",
	"deleted_at": null,
	"sha1_hash": "a003b879cc1363c1b2e24eeab39bda070855c23c",
	"title": "Understanding REvil: REvil Threat Actors May Have Returned (Updated)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1367285,
	"plain_text": "Understanding REvil: REvil Threat Actors May Have Returned\r\n(Updated)\r\nBy Doel Santos, John Martineau\r\nPublished: 2022-06-03 · Archived: 2026-04-05 21:39:59 UTC\r\nExecutive Summary\r\nREvil has emerged as one of the world’s most notorious ransomware operators. In summer 2021, it extracted an\r\n$11 million payment from the U.S. subsidiary of the world’s largest meatpacking company based in Brazil,\r\ndemanded $5 million from a Brazilian medical diagnostics company and launched a large-scale attack on dozens,\r\nperhaps hundreds, of companies that use IT management software from Kaseya VSA.\r\nWhile REvil (which is also known as Sodinokibi) may seem like a new player in the world of cybercrime, Unit 42\r\nhas been monitoring the threat actors tied to this group for three years. We first encountered them in 2018 when\r\nthey were working with a group known as GandCrab. At the time, they were mostly focused on distributing\r\nransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that\r\nhackers use to infect victims through drive-by downloads when they visit a malicious website.\r\nThat group morphed into REvil, grew and earned a reputation for exfiltrating massive data sets and demanding\r\nmultimillion dollar ransoms. It is now among an elite group of cyber extortion gangs that are responsible for the\r\nsurge in debilitating attacks that have made ransomware among the most pressing security threats to businesses\r\nand nations around the globe.\r\nUpdated June 3, 2022: In October 2021, REvil went offline at least in part due to major multi-government entities\r\npursuing the group. The absence, however, was apparently short lived. On April 20, 2022, REvil’s old leak site\r\ncame back online. We’ve updated our original report on REvil’s activity to include insights on the most recent\r\nsamples and attacks – though we note that it is not yet clear whether the threat actors behind this activity are\r\nactually members of the original group or if this is REvil under a new administration. The new information is\r\nincluded under the header “REvil in 2022.”\r\nPalo Alto Networks WildFire, Threat Prevention and Cortex XDR detect and prevent REvil ransomware\r\ninfections.\r\nIf you think you may have been impacted, please get in touch with the Unit 42 Incident Response team.\r\nREvil in 2022: New Observations of Ransom Notes, Leak Site, Payment Site and\r\nMore\r\nREvil, one of the most prolific ransomware groups of 2021, went offline in October 2021. The dissolution of\r\nREvil was due to major multi-government entities pursuing the group’s operations, with arrests occurring,\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 1 of 11\n\ninfrastructure seized, the disappearance of ransomware-as-a-service (RaaS) leadership and general mistrust\r\nbetween members of the group\r\nOn April 20, 2022, REvil’s old leak site came back online and started redirecting visitors to a new Onion address,\r\nlisting new and previous victims. Of particular note, the new site also looks a bit different from the original\r\n“Happy Blog” led by the original REvil group – for example, the new site includes an RSS 2.0 feed and a “Join\r\nUs” section for active affiliate recruiting. Additionally, the proof of concept links are offline or removed for old\r\nvictims, leading Unit 42 to believe that the website was revived from a backup and it didn’t update any of the\r\ncontent inside the posts. It is also possible that the blog is being recreated by another group – not necessarily the\r\nsame threat actors who claimed the work of REvil before. \r\nDuring early May, we noticed new alleged victim organizations being listed and then removed from the site\r\nnumerous times. Typically, when an organization is removed from the site, it’s because they have paid the ransom,\r\nbut this does not appear to be the case here. Instead, the same potential victims were added and then removed\r\nseveral times. The organizations were an India-based oil organization, a U.S.-based education organization and a\r\nFrance-based sign manufacturer. We observed the site being unstable at times – in some instances showing a blank\r\npage with no victims listed. \r\nFigure 1. “New“ REvil leak site.\r\nThe recruiting section on the revived leak site at first directed victims to RuTOR, a known Russian-speaking\r\nforum marketplace typically selling illicit goods, leveraging the platform's automated escrow service. An affiliate\r\ninterested in joining this iteration of REvil was asked to deposit money as part of an automated escrow agreement\r\nwith an REvil member. Once this process was complete, the affiliate would then get an invite to the group. \r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 2 of 11\n\nFigure 2. Recruitment section of leak site.\r\nWe find the use of RuTOR interesting, since it’s not particularly known for ransomware operators, unlike other\r\nforums such as RAMP, Exploit or XSS – where posts seeking “security services” such as pentesters often turn out\r\nto be ransomware-related. \r\nOn April 22, we observed a post on RuTOR titled, “REvil’s TOR Sites are suddenly up and running again,” which\r\nprompted a response from WD, one of the RuTOR administrators, declaring that REvil is not welcome on the\r\nforum (Figure 3). \r\nIt’s worth noting that shortly after this post was made public, the threat actor behind the REvil leak site removed\r\nmentions of RuTOR from the leak site – from then on only leveraging TOX Chat for communication. The account\r\nuseransom that was being used on RuTOR got suspended. \r\nFigure 3. Post from RuTOR adminstrator, WD. Translation: “I officially declare: we are not working\r\nwith these gentlemen, If this is really you, then I’m sorry. Wrong time, wrong place.”\r\nOn April 29, a REvil/Sodinokibi variant emerged in VirusTotal, initially reported by a researcher at AVAST. The\r\nobserved sample (SHA256: 0c10cf1b1640c9c845080f460ee69392bfaac981a4407b607e8e30d2ddf903e8) was\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 3 of 11\n\ncompiled on April 26, three days before the researchers encountered the sample in the wild. This is believed to be\r\na new version of the REvil sample. This sample includes various updates compared to previous REvil samples,\r\nincluding adding pointers to the new leak site and payment site. (The payment site appears similar to previous\r\nversions.) \r\nThe sample also has a new field embedded in its JSON configuration, named accs. This field had accounts\r\nassociated with two different organizations – one in Taiwan and one in Israel. At the time, those two organizations\r\nhadn’t been observed on the new REvil leak site, which could indicate they were perhaps victims being actively\r\ntargeted. \r\nThe “ransomware” sample in fact only seems to behave like ransomware – it appears to encrypt files but doesn’t\r\nactually do so. The analyzed sample only renames existing files with a random extension – removing the\r\nextension will restore the file back to its original state (Figure 4). \r\nVideo Player\r\nFigure 4. Changing extensions on renamed files.\r\nThe ransom note is almost identical to the original used by this group; notable differences include:\r\nRemoval of the clearnet site that was previously included – decoder[.]re\r\nNew updated domains added, pointing to new infrastructure\r\nAdditional comments from the threat actors, such as a “Sensitive Data'' section that is identical to the one\r\nseen in the BlackCat ransom note. \r\nThe similarity to the BlackCat ransom note isn’t surprising – ransomware groups are known to copy each other's\r\nransom notes from time to time (See Figure 5 for the full REvil note).\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 4 of 11\n\nFigure 5. New REvil ransom note.\r\nTheir new payment site also seems to be similar to what REvil used in the past. \r\nIn the case of the April 29 sample, the requested ransom is $1.5 million. As seen in previous REvil cases, the\r\nransom request doubles if payment is not performed within the established time frame. We looked for transactions\r\non the BTC wallet address posted on the payment site. As of the writing of this updated report, there haven’t been\r\nany transactions made to that wallet address. \r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 5 of 11\n\nFigure 6. REvil payment site.\r\nIt’s still too early to say whether the threat actors behind this activity are actually members of the original group or\r\nif this is REvil under a new administration. \r\nThe “return” of the REvil/Sodinokibi name is not surprising; REvil had quite a reputation, built from three years\r\nof active ransomware activity. That being said, the REvil brand also has been tarnished. The group has gone\r\noffline multiple times due to high-profile attacks that led to law enforcement pursuit – and lost the trust of\r\naffiliates in the process. With the sudden disappearance of prominent leaders – Unknown(aka UNKN) in July and\r\n0_neday shortly after in October 2021 – REvil leadership wasn’t able to restore confidence. \r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 6 of 11\n\nFigure 7. REvil representative 0_neday announcing compromise of REvil servers.\r\nEven with the apparent return of REvil, other cybercriminals are skeptical, and some suspect law enforcement is\r\nbehind it. Recruiting with such a reputation may be a bit difficult, and this is one of the main reasons why\r\nransomware groups rebrand. \r\nRegardless of who is behind the reemergence of this group, we continue to recommend that organizations prepare\r\nthemselves to combat any ransomware that emerges. As always, the best time to prepare for a ransomware\r\nincident is before it happens.\r\nRansomware as a Service\r\nREvil is one of the most prominent providers of ransomware as a service (RaaS). This criminal group provides\r\nadaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site\r\nfor publishing stolen data when victims don’t pay the ransom demand. For these services, REvil takes a\r\npercentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade\r\nvictims into paying up: They encrypt data so that organizations cannot access information, use critical computer\r\nsystems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as\r\ndouble extortion).\r\nThreat actors behind REvil operations often stage and exfiltrate data followed by encryption of the environment as\r\npart of their double extortion scheme. If the victim organization does not pay, REvil threat actors typically publish\r\nthe exfiltrated information. We have observed threat actors who are clients of REvil focus on attacking large\r\norganizations, which has enabled them to obtain increasingly large ransoms. REvil and its affiliates pulled in an\r\naverage payment of about $2.25 million during the first six months of 2021 in the cases that we observed. The size\r\nof specific ransoms depends on the size of the organization and type of data stolen. Further, when victims fail to\r\nmeet deadlines for making payments via bitcoin, the attackers often double the demand. Eventually, they post\r\nstolen data on the leak site if the victim doesn’t pay up or enter into negotiations.\r\n2021 Trends – Something Old, Something New\r\nUnit 42 has worked over a dozen REvil ransomware cases so far this year. While some of the tactics cited in our\r\n2021 Unit 42 Ransomware Threat Report have remained the same, we have seen a few deviations from REvil’s\r\nstandard attack lifecycle. For a quick reference, we have generated Actionable Threat Objects and Mitigations\r\n(ATOMs) to display REvil’s tactics, techniques, procedures and other indicators of compromise (IOCs).\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 7 of 11\n\nHow REvil Threat Actors Gain Access\r\nREvil threat actors continue to use previously compromised credentials to remotely access externally facing assets\r\nthrough Remote Desktop Protocol (RDP). Another commonly observed tactic is phishing leading to a secondary\r\npayload. However, we also observed a few unique vectors that relate to the recent Microsoft Exchange Server\r\nCVEs, as well as a case that involved a SonicWall compromise. Below are the five unique entry vectors observed\r\nthus far in 2021.\r\nA user downloads a malicious email attachment that, when opened, initiates a payload that downloads and\r\ninstalls a QakBot variant of malware. In at least one case, the version of QakBot we observed collected\r\nemails stored on the local system, archived them and exfiltrated them to an attacker controlled server.\r\nIn one instance, a malicious ZIP file attachment containing a macro-embedded Excel file that led to an\r\nUrsnif infection was used to initially compromise the victim network.\r\nSeveral actors utilized compromised credentials to access internet-facing systems via RDP. It’s unclear how\r\nthe actors gained access to the credentials in these instances.\r\nAn actor exploited a vulnerability in a client SonicWall appliance categorized as CVE-2021-20016 to gain\r\naccess to credentials needed to access the environment.\r\nAn actor utilized the Exchange CVE-2021-27065 and CVE-2021-26855 vulnerabilities to gain access to an\r\ninternet-facing Exchange server, which ultimately allowed the actor to create a local administrator account\r\nnamed “admin” that was added to the “Remote Desktop Users” group.\r\nHow REvil Threat Actors Establish Their Presence Within an Environment\r\nOnce access is obtained, REvil threat actors typically utilize Cobalt Strike BEACON to establish their presence\r\nwithin an environment. In several instances we observed, they used the remote connection software\r\nScreenConnect and AnyDesk. In other cases, they chose to create their own local and domain accounts, which\r\nthey added to the “Remote Desktop Users” group. Further, the threat actors often disabled antivirus, security\r\nservices and processes that would interfere with or otherwise detect their presence within the environment.\r\nBelow are specific techniques we observed thus far in 2021:\r\nOnce the actor had access to the environment, they utilized different toolsets to establish and maintain their\r\naccess, including the use of Cobalt Strike BEACON as well as local and domain account creation. In one\r\ninstance, the REvil group utilized a BITS job to connect to a remote IP, download and then execute a\r\nCobalt Strike BEACON.\r\nIn several incidents, Unit 42 identified the use of “Total Deployment Software” by REvil threat actors to\r\ndeploy ScreenConnect and AnyDesk software to maintain access within the environment.\r\nIn many instances, the REvil actor(s) created local and domain level accounts through BEACON and NET\r\ncommands even if they had access to domain-level administrative credentials.\r\nUnit 42 observed common evasion techniques across all engagements in which REvil threat actors used [1-\r\n3] alphanumeric batch and PowerShell scripts that stopped and disabled antivirus products, services related\r\nto Exchange, VEAAM, SQL and EDR vendors, as well as enabled terminal server connections.\r\nHow REvil Threat Actors Expand Access and Gather Intelligence\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 8 of 11\n\nIn most cases, REvil actors need to gain access to additional accounts that have a wider set of privileges in order\r\nto move further within the victim environment and carry out their mission. They often use Mimikatz to access\r\ncached credentials on the local host. However, Unit 42 also observed the SysInternals tool procdump as a means\r\nto dump the LSASS process. Unit 42 also found it common for this threat actor to access files with the name\r\n“password” within the filename. In one instance, we observed an attempt to gain access to a KeePass Password\r\nSafe.\r\nDuring the reconnaissance phase of attacks, REvil threat actors often utilize various open source tools to gather\r\nintelligence on a victim environment and in some cases resort to utilizing administrative commands NETSTAT\r\nand IPCONFIG to gather information.\r\nBelow are specific observations of REvil’s behavior in 2021.\r\nNetwork reconnaissance tools netscan, Advanced Port Scanner, TCP View and KPort Scanner were\r\nobserved in over half the engagements Unit 42 responded to.\r\nThe threat actors often use Bloodhound and AdFind to map out networks and gather other active directory\r\ninformation.\r\nIn two engagements, Unit 42 observed the use of ProcessHacker and PCHunter in what appeared to be an\r\nattempt to gain insight into processes and services running on hosts within the environment.\r\nHow REvil Threat Actors Move Laterally Throughout Compromised Environments\r\nIn general, REvil threat actors utilize Cobalt Strike BEACON and RDP with previously compromised credentials\r\nto laterally move throughout compromised environments. Additionally, Unit 42 observed use of the\r\nScreenConnect and AnyDesk software as methods of lateral movement. While we have seen other ransomware\r\ngroups employ these tactics, we observed REvil threat actors retrieving these binaries from file sharing sites such\r\nas MEGASync and PixelDrain.\r\nHow REvil Threat Actors Complete Their Objectives\r\nFinally, we observed REvil threat actors moving to the final stage of their attack, encrypting networks, staging and\r\nexfiltrating data, and destroying data to prevent recovery and hinder analysis.\r\nRansomware Deployment\r\nREvil threat actors typically deployed ransomware encryptors using the legitimate administrative tool\r\nPsExec with a text file list of computer names or IP addresses of the victim network obtained during the\r\nreconnaissance phase.\r\nIn one instance, a REvil threat actor utilized BITS jobs to retrieve the ransomware from their infrastructure.\r\nIn a separate instance, the REvil threat actor hosted their malware on MEGASync.\r\nREvil threat actors also logged into hosts individually using domain accounts and executed the ransomware\r\nmanually.\r\nIn two instances, the REvil threat actor utilized the program dontsleep.exe in order to keep hosts on during\r\nransomware deployment.\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 9 of 11\n\nREvil threat actors often encrypted the environment within seven days of the initial compromise. However,\r\nin some instances, the threat actor(s) waited up to 23 days.\r\nExfil\r\nThreat actors often used MEGASync software or navigated to the MEGASync website to exfiltrate\r\narchived data.\r\nIn one instance, the threat actor used RCLONE to exfiltrate data.\r\nDefense Maneuvers\r\nDuring the encryption phase of these attacks, the REvil threat actors utilized batch scripts and wevtutil.exe to clear\r\n103 different event logs. Additionally, while not an uncommon tactic these days, REvil threat actors deleted\r\nVolume Shadow Copies in an apparent attempt to further prevent recovery of forensic evidence.\r\nConclusion: Evolve\r\nWhile the REvil operational group may target large organizations, all are potentially susceptible to attack. As we\r\ndraw closer to a post COVID-19 environment, IT and other defenders of networks should take time to learn what’s\r\nnormal in their environments and notice and question abnormalities. Investigate them. Question your defenses. Do\r\nall users need to be able to open macro-enabled documents? Do you have endpoint visibility and protections to, at\r\nminimum, alert you to secondary infections such as QakBot? If you absolutely need RDP, are you using tokenized\r\nMFA? And don’t question just once – question routinely. Think like the attacker. You might be able to stop your\r\norganization from being the next victim and escape being in the headlines for the wrong reasons.\r\nPalo Alto Networks customers are protected by:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nPrevention for known REvil indicators\r\nAnti-Ransomware Module to prevent REvil encryption behaviors.\r\nLocal Analysis detection to prevent REvil binary executions.\r\nBehavioral Threat Protection, Anti-exploitation modules and Suspicious Process Creation to prevent\r\nREvil techniques.\r\nXDR Analytics, Analytics BIOCs and BIOCs to detect REvil techniques.\r\nAutoFocus: Tracking related activity using the REvil tag.\r\nCortex XSOAR: “Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack” playbook. Playbook\r\nincludes the following tasks:\r\n1. Collect related known IOCs from several sources.\r\n2. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS,\r\nCortex XDR and SIEM products.\r\n3. Block IOCs automatically or manually.\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 10 of 11\n\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nSource: https://unit42.paloaltonetworks.com/revil-threat-actors/\r\nhttps://unit42.paloaltonetworks.com/revil-threat-actors/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/revil-threat-actors/"
	],
	"report_names": [
		"revil-threat-actors"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a003b879cc1363c1b2e24eeab39bda070855c23c.pdf",
		"text": "https://archive.orkl.eu/a003b879cc1363c1b2e24eeab39bda070855c23c.txt",
		"img": "https://archive.orkl.eu/a003b879cc1363c1b2e24eeab39bda070855c23c.jpg"
	}
}