This is a Threat Actor Profile on REvil, a ransomware-as-a-service (RaaS) syndicate. Believed to operate from inside Russia, they were first observed in April of 2019. In June of 2019, the Federal Bureau of Investigation received notice of REvil (and its variants Sodin and Sodinokibi) being used to exploit Managed Service Providers and spread ransomware through the MSP’s client network. Since then, the group has grown to become a highly connected service provider with a claimed revenue of $100 Million per year and goals to grow their income to at least $1 Billion per year. AdvIntel Andariel served as the primary source of information for this report.
REvil is known to use many of the common RaaS techniques, including masquerading as a legitimate process, phishing emails that rely on user execution, and brute forcing Remote Desktop Protocols (RDP).
REvil is particularly notable for targeting service providers and their clients, such as what happened to the law firm Grubman Shire Meiselas & Sacks in May of 2020. REvil representatives have claimed they exploited a basic vulnerability in Citrix as their breach method. After targeting the firm, the group launched similar attacks against many of the firm’s clients.
Most recently, REvil has been connected to the attack on the JBS Meat Company. This attack highlights a development in RaaS, as REvil partnered with another cyber-crime group QBot to upload malware to the target. This operation is in line with statements made by a representative of REvil in October of 2020, indicating that the group was interested in partnering with other syndicates to increase the pool of available targets.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.