REvil / Sodinokibi
What is REvil / Sodinokibi?
REvil / SodinokibiA Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
REvil, also called Sodinokibi, emerged in April 2019 and was widely considered a successor to GandCrab. It operated as a RaaS in which affiliates kept 60-70 percent of ransoms and used aggressive tactics including auctions of stolen data and large public demands. Notable victims include Travelex (December 2019), JBS Foods (May 2021, paid 11 million USD), and Kaseya VSA in July 2021, when an MSP-side zero-day allowed REvil to push the encryptor to roughly 1,500 downstream organisations in one of the largest supply-chain ransomware events. In late 2021, US, EU and Russian authorities executed arrests, infrastructure takedowns and indictments. Russia's FSB announced arrests in January 2022, although operational restarts and rebrands have been reported intermittently since.
● Examples
- 01
The Kaseya VSA supply-chain attack in July 2021 propagated REvil to about 1,500 downstream MSP customers.
- 02
JBS Foods reportedly paid REvil 11 million USD in May 2021 to recover meat-processing operations.
● Frequently asked questions
What is REvil / Sodinokibi?
A Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack. It belongs to the Defense & Operations category of cybersecurity.
What does REvil / Sodinokibi mean?
A Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
How does REvil / Sodinokibi work?
REvil, also called Sodinokibi, emerged in April 2019 and was widely considered a successor to GandCrab. It operated as a RaaS in which affiliates kept 60-70 percent of ransoms and used aggressive tactics including auctions of stolen data and large public demands. Notable victims include Travelex (December 2019), JBS Foods (May 2021, paid 11 million USD), and Kaseya VSA in July 2021, when an MSP-side zero-day allowed REvil to push the encryptor to roughly 1,500 downstream organisations in one of the largest supply-chain ransomware events. In late 2021, US, EU and Russian authorities executed arrests, infrastructure takedowns and indictments. Russia's FSB announced arrests in January 2022, although operational restarts and rebrands have been reported intermittently since.
How do you defend against REvil / Sodinokibi?
Defences for REvil / Sodinokibi typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for REvil / Sodinokibi?
Common alternative names include: Sodinokibi, REvil RaaS.
● Related terms
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 624
LockBit
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
- defense-ops№ 215
Conti Ransomware
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
- defense-ops№ 099
BlackCat / ALPHV
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.