Everything you need to know about REvil Ransomware!

Revil Ransomware
Revil Ransomware

The name sounds weird, we know! But this ransomware is just as disrupting as it sounds. REvil ransomware, an amalgamation of ‘ransomware’ and ‘evil’, is a way for attackers to hold information hostage and extort money in exchange.

In this blog, you will get to know everything about REvil Ransomware, what it is, how it works, and previous attacks in detail.

So let’s start!

What is REvil Ransomware?

REvil (ransomware evil), also known as Sodin and Sodinokibi, is a well-funded criminal Ransomware-as-a-Service (RaaS) business that rose to prominence in 2019.

It is a widespread tool used by hackers to target unsuspecting organizations, steal sensitive data, and extort money.

Many organizations, understandably, are concerned about being victims of a REvil ransomware assault.

Organizations, known as affiliates, maintain the code while spreading the malware. REvil has been identified by researchers and security businesses as a variant of GandCrab. GandCrab is a major RaaS gang popular in 2018.

REvil is heavily pushed on cybercrime forums as the greatest alternative for hacking corporate networks.

REvil tailors its ransom demands to the yearly revenue of the company or “victim” it is pursuing. Cybercriminals have demanded up to 9% of the victim’s annual earnings, with amounts ranging from $1,500 to $42 million.

Why is REvil Ransomware Dangerous?

REvil ransomware is a file-blocking malware that encrypts data and distributes a ransom request message after infection. The letter indicates that you must pay a ransom in bitcoin—and that if you don’t pay on time, the demand will double.

REvil attackers made a name for themselves by stealing sensitive, unencrypted data from computers and networks with the REvil virus. They would then demand enormous sums of money from their victims. They threatened to disclose all their personal data by publishing it on a page called the ‘Happy Blog’ if they were not paid.

To make matters worse, a countdown meter indicates when data leaks will be made public, placing further strain on firms that have been attacked.

The Happy Blog highlights recent REvil victims and displays a fragment of the stolen data as proof that the data was stolen from multiple businesses.

How Does REvil Ransomware Work?

During human-operated ransomware attacks, REvil ransomware is one of the ransomware programs used. To maximize their damage, hackers utilize tools and tactics to map the network, acquire access to other internal systems, obtain domain administrator capabilities, and distribute ransomware to all workstations.

The ransomware is spread by phishing emails and disables processes on compromised computers, including email and other database servers, Microsoft Office applications, browsers, and backup utilities. To hinder file recovery, it also deletes Windows copies of files and other backups.

The use of Elliptic-Curve Diffie-Hellman key exchange distinguishes REvil ransomware from other forms of ransomware programs. These cryptographic methods are more difficult to crack because they employ shorter keys and are very efficient.

Previous Incidents of Ransomware Attacks

REvil also ran a company, selling third-party hackers hacking technologies and other tools. Members of REvil would rent the ransomware to other hacker organizations in order to carry out a similar assault.

They sell REvil ransomware as a service (RaaS). REvil would get a percentage of any ransomware payments made by the other organization in exchange for employing its services and software.

Interestingly, RaaS groups were used in several of the most high-profile ransomware operations.

The ransomware group has been connected to high-profile assaults, including one against Quanta, a Taiwanese business that supplies Apple with data center equipment. REvil claimed to have stolen secret information from Apple-like computer designs and wanted a $50 million ransom.

REvil, on the other hand, “mysteriously erased any references relating to the extortion attempt from its dark web blog,” as tech magazine MacRumors reported in April. It’s unknown whether Apple or Quanta paid the ransom at this time.

REvil is only driven by profit unlike state-sponsored hackers.

The infamous organization also claimed responsibility for hacking the New York law firm Grubman, Shire, Meiselas & Sacks. They claim to have gotten papers relating to former President Donald Trump.

US pipeline hacked by Ransomware REvil

The firm that owns the pipeline has allegedly paid a $5 million ransom to the cybercriminal gang that initiated the hack after a REvil ransomware attack on a vital US pipeline network disrupted fuel supply in the eastern United States. The payment was made using Bitcoins.

Colonial Pipeline Company faced a cyberattack on May 7th. The company carries nearly 45 percent of the gasoline and diesel used on the east coast of the United States. The company shut down operations after the attack.

Because of the closure, the US federal government declared a regional emergency to allow petroleum distribution via tanker trucks to alleviate the impact of shortages.

Is REvil Ransomware Still a Threat for Companies?

Police and the FSB raided 25 residences, arrested 14 persons, and confiscated 426 million roubles (approximately Rs 40 crore), $600,000 (about Rs 4 crore), 500,000 euros, computer equipment, and 20 luxury automobiles as part of a combined operation.

A Moscow court named the two defendants as Roman Muromsky and Andrei Bessonov and placed them in detention for two months, according to Reuters.

Muromsky was a web developer that created websites for a motorbike spare parts store named “Motohansa.” According to Sergei, the store owner, Muromsky was a very smart person and could do the hacking at a very little service charge.

Muromsky, who is in his forties, was born in the Russian city of Anapa, where he worked as a regular programmer.

Ransomware powered by bitcoin was implicated in 79% of worldwide cybersecurity incidents from 2020 to 2021, according to a study by Sophos. According to Sophos, the Conti and REvil ransomware attacks were at the top of the list.

So yes, Ransomware Revil attacks can still happen. It is therefore important for all businesses to take precautions against this security threat. Talk to our experts to talk


Ransomware attacks like the REvil, can take place anytime and anywhere. With proper cyber security measures in place, such attacks can be easily prevented.

Need help with securing your business?

Contact WPG to get cybersecurity services for your organization. We have a team of security experts who will assess your systems and implement the needed security measures.

Picture of Hitesh Patel
Hitesh Patel
Hitesh Patel is an engineer turned business owner of WPG Consulting. He is a techie enthusiast who believes in finding creative IT solutions to solve consumer problems.

IT Services You Can Count on WPG Consulting​

Managed IT Services

Cyber Security

Cloud Computing

Project Management

Disaster Recovery Planning

VoIP Services

IT Engineering

Strategic IT Consulting

Desktop IT Support

Software & eCommerce Development


Discover how can WPG Consulting help you?