REvil Ransomware: The Rise and Fall of One of the World’s Most Notorious Cybercrime Gangs

These days, cybercriminals are rarely lone hackers working in the shadows. Typically, they are now well-funded and highly organized groups capable of paralyzing even the largest businesses overnight. These ransomware gangs use business-like structures with specialized roles, revenue-sharing models and advanced technical capabilities that make them difficult to stop and even harder to predict.

Among the most notorious of these was the REvil group. Active from 2019 to 2021, this was a highly organized operation using a Ransomware-as-a-Service (RaaS) model, responsible for some of the most disruptive and costly attacks in recent years. While REvil has now been dismantled, the methods it pioneered continue to shape the tactics of today’s cybercriminals, offering both ongoing challenges and valuable anti ransomware lessons for modern businesses.

REvil, also known as Sodinokibi, emerged in 2019 and is widely believed to have evolved out of the GandCrab ransomware group. Thought to be based in Russia or Russian-speaking regions, the group operated with relative freedom due to the lack of enforcement against cybercriminals targeting foreign organizations.

It quickly became one of the most prolific operators in the ransomware landscape through its use of the RaaS model. This approach allowed the core developers to create and maintain the malware, while recruiting affiliates to deploy it against victims.

These affiliates would infiltrate networks, exfiltrate sensitive data and trigger encryption, while REvil handled ransom negotiations and payment processing. Profits were split between the group and its partners, enabling rapid scaling of attacks and a global reach that affected organizations across multiple sectors. According to the US Justice Department, it is thought to have infected around 175,000 devices during its active years, taking in more than $200 million in ransom payments from victims.

There were numerous ways in which REvil attacks typically began, with affiliates exploiting unpatched software vulnerabilities, stealing credentials through phishing campaigns or abusing Remote Desktop Protocol connections to gain access to a target network. Once inside, they moved laterally to identify and compromise valuable systems while avoiding ransomware detection by disabling security tools and deleting backups.

The group relied heavily on data exfiltration, stealing sensitive files before deploying its encryption payload. This enabled its signature double extortion tactic, where victims were threatened not only with data loss but also with public exposure of stolen information unless they paid. REvil maintained dedicated leak sites on the dark web to publish or auction off data from non-compliant victims.

Negotiations often used psychological pressure such as strict payment deadlines, threats to contact media outlets or customers and staged leaks to increase urgency. This combination of technical precision and intimidation made REvil one of the most feared ransomware operations in the world.

REvil’s level of organization and sophistication allowed it to launch some of the most disruptive ransomware campaigns on record, targeting victims across multiple sectors, from government to healthcare. These demonstrate how quickly a single compromise can escalate into widespread operational shutdowns, large-scale data theft and severe financial consequences for victims and their customers.

REvil exploited a zero-day vulnerability in Kaseya’s VSA remote management software, allowing it to push ransomware updates through managed service providers directly into client networks. This attack hit up to 1,500 businesses worldwide, including Coop supermarkets in Sweden, which closed around 500 stores while systems were restored. It encrypted customer systems and demanded a $70 million payment in exchange for the decryption key.

Beyond the ransom, downtime, remediation and reputational harm cost victims millions of dollars. The attack highlighted the devastating potential of supply chain compromises that extend far beyond the original target.

Targeting the world’s largest meat supplier, REvil breached JBS’ IT infrastructure, affecting beef, poultry and pork processing operations across the US, Canada and Australia. The intrusion forced plant shutdowns, disrupted supply chains and threatened food distribution nationwide.

Sensitive operational data was stolen before encryption, enabling a double extortion demand. JBS ultimately paid $11 million in Bitcoin to prevent further damage and restore systems, illustrating the significant leverage REvil could exert on key industries.

In March 2021, REvil targeted tech manufacturer Acer, demanding $50 million after exploiting vulnerabilities in Microsoft Exchange servers to access sensitive corporate files. Just weeks later, it struck Quanta Computer, a key Apple supplier, exfiltrating confidential design schematics for unreleased products.

The group threatened to leak the data unless paid, escalating the ransom to $100 million. Though in this case, the ransom was not paid, these attacks demonstrated REvil’s ability to exploit vulnerabilities to target high-value intellectual property theft, putting intense pressure on companies through the threat of public exposure.

In late 2021 and early 2022, REvil became the focus of an unprecedented multinational law enforcement effort involving agencies from the United States, Russia and several European nations. Coordinated operations seized the group’s dark web infrastructure, dismantled servers and disrupted its command-and-control systems.

Russian authorities arrested multiple suspected members and seized assets linked to ransomware proceeds. The FBI and partners also recovered decryption keys for many victims, allowing for the recovery of lost data and blunting further extortion attempts.

However, while the takedown dealt a significant blow, it also highlighted how quickly organized cybercrime can adapt and re-emerge under new names or structures.

REvil’s rise and fall left lasting lessons for both businesses and the cybercriminal community. For organizations, the group’s campaigns highlighted the importance of rapid patching, robust backup strategies and proactive threat monitoring.

For other hackers, REvil proved the profitability and scalability of RaaS, inspiring new operations that have adopted and refined its double extortion tactics, as well as reducing the barriers to entry for hackers. Splinter groups and rebranded gangs continue to use similar playbooks, often with greater technical sophistication and targeting precision.

To defend against this evolving threat, there are several steps businesses must take to detect ransomware and response quickly. These include:

• Patching systems promptly to address known vulnerabilities
• Implementing multi-factor authentication and least privilege access
• Monitoring for unusual network and endpoint activity
• Maintaining secure, tested offline backups
• Educating staff on phishing and social engineering risks
• Implementing dedicated anti data exfiltration (ADX) solutions to protect against double extortion attacks

The dismantling of REvil was a success story for authorities in the fight against ransomware, but the business model it perfected remains alive and dangerous, demanding constant vigilance from organizations worldwide.