REvil is the commonly used handle for a threat actor group dealing primarily in ransomware. The same criminal outfit is sometimes referred to as Sodinokibi, after the name of another strain of ransomware the group originally used.
REvil is a private operation run by cybercriminals who operate a ransomware-as-a-service ring. Affiliated parties can, in a sense, rent out REvil's server infrastructure and ransomware payloads and launch attacks of their own, splitting any potential illegal profit from paid ransom with the REvil group.
There is no hard evidence about the country out of which REvil operates, but there is speculation that the group might be based in Russia, due to the fact that they have never launched at attack against businesses and targets located in Russia or in other countries belonging to the so-called ex-Soviet-bloc. There is also speculation that the REvil group is somehow related to the DarkSide threat group, as the code of the ransomware the two hacker groups use has certain similarities.
The REvil group has been in the sights of the infosec community since late 2019, with significant attacks and activity picking up in 2020.
Notable Past Attacks Attributed to REvil
The most notable attacks executed by REvil in the past include the attack on Quanta Computers, a hardware manufacturer based in Taiwan. REvil stole plans and documentation relating to upcoming Apple products in the attack.
Just over a month ago, REvil were also behind the massive ransomware job on JBS USA Holdings - the largest fresh meat supplier in the US. The attack culminated in JBS paying up a massive $11 million to the hackers to get a decryption tool and restore their networks to normal working order.
In June 2021, REvil also took responsibility for the ransomware attack reported by US-based power generation equipment company.
New Attack Efforts Launched By REvil Ransomware Hackers Targeting Hundreds of Companies During July 4th Holiday
A cyber campaign involving REvil ransomware began targeting businesses in North America over the 4th of July Weekend. In this particular attack, known as a supply-chain-attack, REvil used a third-party remote desktop software developed by IT support firm Kaseya, to spread its payload to other businesses.
The company stated that their remote software was being used to spread REvil to unsuspecting victims. Reports state that at least 200 US companies have been affected as well as 40 international companies.
The REvil Ransomware attack was discovered on Friday, July 2nd after the REvil used a software update to compromise Kaseya’s remote desktop services. In response to the attack, the company shut down its SaaS servers to protect customer data and urged them to take precautionary measures against the hack. However, since the attack happened just as the July 4th holiday began, it is likely that responses to the threat by affected companies will be delayed.