A recent money hungry group that encrypts all your information unless a ransom is paid off.

May 24, 2022Author: Eric Burdick

What is REvil?

Otherwise known as Ransomeware Evil or Sodinokibi, REvil is a recent form of ransomware that originated in Russia. The virus was run by a group of hackers that followed a ransomware as a service structure(RAAS). This is when a small group of people create the malicious code where others are recruited as affiliates to spread the software. According to reports, the internal code of REvil was very similar to the recently shut down group known as DarkSide, a group that conducted similar attacks. This could mean that the members of REvil and DarkSide could be one in the same.

How Does it Work?

Being a form of ransomware, once a user falls victim to an attack all of their files become encrypted and are locked out of their machines. Victims are locked behind a screen explaining the situation with a set of instructions. A large sum of money or cryptocurrency must be paid in order to be given the private key which will decrypt all the users files. The instructions give the user a time limit to obtain their files. Some versions of ransomware utilize a flashing screen or pop-up window to scare the victim into paying the ransom. If they cannot pay the ransom in time, the files will be deleted forever.

REvil’s Attacks

When a device falls victim to a ransomware attack, all the data falls under control of the attackers. When the supplier for Apple,Quanta Computer, fell victim to REvil. At the time, they had schematics for MacBook Pro designs that were yet to be announced. After, JBS S.A, the largest meat processing company in the world, was attacked by REvil. This forced its beef plants in the U.S to shut down until they paid their $11 million dollar ransom. A large number of service providers had REvil infected on their systems. The ransom was up to $70 million in order to restore encrypted data shutting down locations such as the Swedish Coop grocery store chain. Nearly 800 stores had to close until the ransom was paid off.

The Downfall of REvil

While many attacks were successful resulting in millions in ransom payments, some never worked out. Going back to the Apple example, REvil threatened to leak more schematics if a ransom of $50 million was paid off. However the ransom didn't lead to anything. It faded out and all traces of the attacks were removed from REvil’s website. In October of 2021, the servers of REvil were forced to go offline after being hacked by many high ranking government services.

How to Prevent any Ransomware Attacks

Ransomware can spark from multiple types of attacks. Malicious links and social engineering attacks are very common methods. Victims are typically users who are unaware of these kinds of attacks. It's important to be aware of the emails you open in the case of social engineering attacks, such as phishing. Through the use of backups, the damage of a ransomware attack can be reduced. However, it's important to include the best types of backups are ones kept on an offline, separate device as anything connected to the network are vulnerable to attacks.


  • 14, Comrade Lenin January, et al. “At Request of U.S., Russia Rounds up 14 Revil Ransomware Affiliates.” Krebs on Security, 14 Jan. 2022,

  • Kirk, Jeremy. “The Ransomware Files, Episode 6: Kaseya and Revil.” Bank Information Security,

  • “Revil Ransomware Gang Arrested in Russia.” BBC News, BBC, 14 Jan. 2022,

  • “Revil.” Wikipedia, Wikimedia Foundation, 15 Jan. 2022,

  • Vanian, Jonathan. “Everything to Know about Revil, the Group behind Several Devastating Ransomware Attacks.” Fortune, Fortune, 8 July 2021,

  • “What Is Revil Ransomware?” Nomios Group,

Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!