{ "id": "f6ad7c3f-0e68-4c6a-a79e-bf6aec92aa26", "created_at": "2026-04-06T00:11:28.327963Z", "updated_at": "2026-04-10T03:37:23.76742Z", "deleted_at": null, "sha1_hash": "ae09c7a3f79f5d4c628c17625c0cd051eb5f6bb6", "title": "REvil-ution - A Persistent Ransomware Operation - CYJAX", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53563, "plain_text": "REvil-ution - A Persistent Ransomware Operation - CYJAX\r\nBy William Thomas\r\nPublished: 2021-07-09 · Archived: 2026-04-05 22:39:02 UTC\r\nREvil (short for Ransomware Evil) is a revolutionary ransomware operation. Its predecessor, GandCrab, which\r\nwas retired in early 2019, pioneered the concept of ransomware-as-a-service (RaaS) for “big game hunting”\r\ncampaigns (where corporate targets are selected according to their annual turnover). REvil’s operators (also\r\nknown as GoldSouthfield or PinchySpider) continued where GandCrab left off, and thrived. This success\r\nencouraged other ransomware strains to be distributed as a RaaS. REvil is known to have many affiliates, many of\r\nwhich crossover with those of GandCrab. Password spraying, exploiting unpatched systems, and initial access\r\nmalware families – such as IcedID or Qakbot – and now supply-chain attacks, are all methods of distributing\r\nREvil. The tactics, techniques, and procedures (TTPs) of this group continue to evolve and it remains one of the\r\nprimary threats to large organisations.\r\nOn 2 July, reports emerged of a widespread ransomware supply-chain attack on US-based firm Kaseya, a remote\r\nmanagement and monitoring (RMM) tool used by multiple managed service providers (MSPs). Kaseya warned\r\ncustomers to immediately shut down their VSA server as REvil ransomware was spreading through its auto-update function. By design, Kaseya's RMM software gives administrators the right to install new software on\r\nmultiple systems. This mechanism was hijacked by the ransomware operators to launch REvil with high-level\r\nprivileges. Kaseya has reported that up to 60 MSPs, with as many as 1,500 client organisations, are affected. REvil\r\nstated in a post on its darknet leaks site, Happy Blog, that over one million systems had been encrypted,\r\ndemanding a $70 million ransom in Bitcoin for a universal decryptor.\r\nFig. 1 – Kaseya appearing on REvil’s Happy Blog darknet leaks site\r\nOn the cybercrime forums, the REvil RaaS is represented by a user called UNKN (or Unknown) who recruited the\r\nfirst customer for the ransomware’s affiliate program in July 2019. As the ransomware's reputation grew, by\r\nhitting larger targets in the public and private sector and making more money, increasingly talented affiliates were\r\nbrought on board. UNKN’s interviews with journalists reveal just how successful the group has been. UNKN\r\nclaims that the group makes a profit of $100 million each year and is aiming to make at least $1 billion.\r\nThe REvil development team is said to consist of around ten individuals with as many as 60 affiliates that perform\r\nthe active deployment of the ransomware. In February 2020, REvil’s data-theft-extortion campaign accelerated\r\nwith the launch of the Happy Blog. REvil’s notoriety increases the chances of securing a ransom payment. The\r\ngroup’s high-profile leaks are frequently covered by mainstream outlets, which works as further motivation for\r\norganisations that initially refuse to pay a ransom to engage with the threat actors.\r\nFig. 2 – The auction site used to sell stolen data if the ransom is not paid\r\nREvil is at the top of a pyramid of around 30 other ransomware groups that perform Big Game Hunting (BGH)\r\ncampaigns. As noted above, BGH sees groups target large organisations, from both the private and public sectors,\r\nwith high annual revenues, so that their victims' are more likely to be able to pay multi-million dollar ransom\r\nhttps://www.cyjax.com/2021/07/09/revilevolution/\r\nPage 1 of 3\n\ndemands. These amounts, however, have increased significantly since 2019, peaking at a $50 million demand\r\nfrom Acer (it is unknown if they paid) and securing an $11 million ransom from JBS foods, after originally asking\r\nfor $22.5 million in Bitcoin. Other significant victims targeted by REvil over the last two years include 20 Texas\r\nlocal administrations, Travelex, SoftwareOne, Quest, GSM Law, Banco Estado, Quanta, FujiFilm, Sol Oriens,\r\nInvenergy, and more recently French Connection.\r\nFig. 3 – Example of the REvil ransom note\r\nFig. 4 – The REvil decryption site\r\nWhen it was first discovered in April 2019, REvil was delivered via exploiting vulnerabilities in Oracle WebLogic\r\nweb servers. Since then, the ransomware has been deployed in a number of ways, including via malicious spam\r\ncampaigns, exploit kits, and RDP brute-forcing. To escalate privileges, REvil also exploits CVE-2018-8453, a\r\nWin32k vulnerability, which is rare among ransomware families. REvil’s BGH campaign has been successful in\r\nleveraging exploits for unpatched VPN products for initial access. This includes Pulse Connect Secure (vulnerable\r\nto CVE-2019-11510) and Citrix ADC gateway (CVE-2019-19781), as well as the BlueGate vulnerabilities\r\naffecting the Windows Remote Desktop Gateway (tracked as CVE-2020-0609 and CVE-2020-0610). This is no\r\ncoincidence: during the COVID-19 pandemic, since March 2020, VPNs and RDP have become widely used, with\r\nmany forced to work from home and establish remote connections to the office.\r\nIn the last six months, there have been several reports of REvil ransomware deployment following an initial\r\nIcedID or Qakbot infection. IcedID and Qakbot are reportedly developed by LunarSpider and MallardSpider,\r\nrespectively. These top-tier malware developers collaborate with affiliates and act as Access-as-a-Service brokers\r\nfor several ransomware gangs, such as Conti or RansomExx, alongside REvil. Both are currently pushed by the\r\nShathak botnet, operated by a group known as TA551 (also called GoldCabin). IcedID and Qakbot both began life\r\nas banking Trojans, used for fraud and hijacking accounts. Infections by either malware family are usually now\r\nfollowed by Cobalt Strike and hands-on-keyboard activity that enables threat actors to move laterally, steal data,\r\nand encrypt target networks to hold them to ransom.\r\nThe fame and profits achieved by the REvil ransomware gang inevitably attracted other cybercriminal syndicates.\r\nC\u0026amp;C servers belonging to the infamous FIN7 group (also called CarbonSpider or Carbanak) was linked by\r\nsecurity researchers to REvil’s infrastructure, indicating that it was likely FIN7 was an operator and affiliate. This\r\nis a burgeoning trend, as cybercriminal APT groups shift from Point-of-Sale malware to ransomware, with the\r\nformer no longer being as profitable as it once was. This has been accelerated by the closure of Joker’s Stash -\r\nonce the largest darknet market for stolen credit cards. A vacuum was left by its shutting down, making it harder\r\nfor the carders to cash out after a heist, leading many to turn to RaaS and BGH campaigns.\r\nMost updates about the REvil RaaS project come from the underground Russian-speaking forums. Here, UNKN\r\nannounces major developments to the RaaS, including technical updates and strategies. It was on the forums that\r\nwe first learned about the RaaS, the extortion site, affiliate recruitment drives, notifications to NASDAQ,\r\nacquisition of the KPOT stealer, the arrival of DDoS attacks, calling victims and the media, and the Linux version\r\nof REvil. These updates are posted across multiple darknet forums where UNKN recruits affiliates for the REvil.\r\nThese adverts are a key part of the REvil operation because the RaaS is ultimately competing with other offerings\r\nthat may give their affiliates a greater split of the ransom.\r\nhttps://www.cyjax.com/2021/07/09/revilevolution/\r\nPage 2 of 3\n\nFig. 5 – Example of UNKN’s posts to underground cybercrime forums\r\nThe most recent update to REvil is the addition of a variant to encrypt Linux systems and VMware ESXi virtual\r\nmachines. In May, UNKN announced that the group was developing a Linux version of the ransomware and one\r\nfor network-attached storage (NAS) devices. The Linux version of REvil, which also targets ESXi, has now been\r\ndiscovered in the wild. It is an ELF64 executable file that includes the same configuration options utilised by the\r\nmore common Windows executable version of REvil. When executed on ESXi servers, it will run the ESXCLI\r\ntool to list all running ESXi virtual machines and terminate them. It will then close any open virtual machine disk\r\n(VMDK) files so that the ransomware can encrypt them.\r\nThe targeting of VMware ESXi servers has proven successful for ransomware operators and will continue to be so\r\nwhile so many remain unsecured. By targeting the management servers this way, ransomware can encrypt\r\nmultiple virtual machines at once with a single command. Here, REvil is following a trend pioneered by others.\r\nRansomware operations such as Babuk, RansomExx, DarkSide, and Hellokitty have all previously created Linux\r\nencryptors to target ESXi virtual machines.\r\nFig. 6 – Timeline of the REvil ransomware campaign by Cyjax\r\nThe REvil campaign continues to evolve. Over 260 victims have been leaked to the Happy Blog (all of which\r\nhave been recorded by the Cyjax Portal) and countless others will have paid a ransom to prevent a listing. To\r\nevade international law enforcement, UNKN stated that the group members never travel and claim to be\r\n“absolutely apolitical”, which is why they have allegedly “never been contacted by any local intelligence offices”\r\nin countries in which they operate.\r\nUNKN also admitted to journalists that the arrests of other ransomware gangs benefit the REvil operation. The\r\nclosure of Maze ransomware, for example, saw REvil’s number of affiliates increase. In May 2021, during the\r\naftermath of the Colonial Pipeline ransomware attack perpetrated by the DarkSide gang, the underground\r\ncybercriminal community announced a ban on ransomware on multiple forums. This has significantly affected\r\nREvil’s ability to advertise as a semi-public RaaS offering. However, UNKN stated that REvil will be moving to a\r\nclosed affiliate program that can only be contacted directly. This is not the end of the REvil RaaS, although it will\r\nundoubtedly have impacted their ability to recruit affiliates.\r\nREvil’s latest campaign against Kaseya and its MSP customers is by far the group’s most devastating to date. It\r\nwas always likely that one of the many well-resourced ransomware gangs would launch a widespread supply-chain attack. At the end of 2020, we saw two similar disruptive incidents: Cl0p ransomware exploiting Accellion\r\nFTA servers and the SolarWinds SUNBURST campaign. Targeting vulnerable software or distributing Trojanised\r\nupdates makes for a highly effective attack campaign, especially against IT service providers. Compromising one\r\nsoftware update can lead to thousands of victims. REvil has shown itself to be capable of rapid evolution. Expect\r\nto hear more from them throughout 2021.\r\nSource: https://www.cyjax.com/2021/07/09/revilevolution/\r\nhttps://www.cyjax.com/2021/07/09/revilevolution/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyjax.com/2021/07/09/revilevolution/" ], "report_names": [ "revilevolution" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434288, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae09c7a3f79f5d4c628c17625c0cd051eb5f6bb6.pdf", "text": "https://archive.orkl.eu/ae09c7a3f79f5d4c628c17625c0cd051eb5f6bb6.txt", "img": "https://archive.orkl.eu/ae09c7a3f79f5d4c628c17625c0cd051eb5f6bb6.jpg" } }