REvil (Sodinokibi) Ransomware: Tactics, Entry Points, and How to Prevent Data Loss

In recent years, ransomware has evolved from opportunistic attacks on individuals to meticulously orchestrated campaigns targeting enterprises, critical infrastructure, and global supply chains. At the center of this transformation is the rise of Ransomware-as-a-Service (RaaS)—a business model where threat actors lease ransomware payloads to affiliates in exchange for a cut of the profits. This model has significantly lowered the barrier to entry for cybercrime and turned ransomware into a multi-billion-dollar criminal industry.

Among the most notorious and technically advanced ransomware families operating under this model is REvil (Ransomware Evil), also known by its original name Sodinokibi. First detected in early 2019, REvil quickly rose to prominence by executing high-profile attacks against enterprises, managed service providers (MSPs), and critical infrastructure operators. Its developers adopted a ruthless strategy of double extortion—encrypting files and simultaneously stealing sensitive data to pressure victims into paying massive ransoms, often reaching into the tens of millions.

What makes REvil particularly dangerous is its sophisticated modular architecture, configurability, and its use of exploited zero-day vulnerabilities, making it an unusually persistent and evasive threat. The group has been linked to large-scale incidents including the JBS Foods breach and the Kaseya supply chain attack, both of which crippled organizations across multiple countries in a matter of hours.

Despite coordinated global takedown efforts between 2021 and 2022, the legacy of REvil persists. Its codebase, tactics, and RaaS model continue to influence new and emerging ransomware variants, underscoring the need for continuous vigilance.

This blog delivers technical, verified, and source-supported intelligence on REvil ransomware. It is designed specifically for enterprise security professionals, network administrators, and incident response teams who need to understand the underlying mechanics of REvil attacks. From infiltration methods to payload behavior, configuration analysis, and mitigation strategies, this article offers a comprehensive breakdown of the REvil ransomware threat landscape.

What You Need to Know About REvil: Origins, Business Model, and Global Impact

REvil didn’t come out of nowhere—it evolved from GandCrab’s playbook

REvil made its debut in April 2019, but it didn’t appear out of thin air. It evolved from the remnants of GandCrab ransomware, one of the earliest examples of ransomware sold as a service. Analysts have long pointed to shared code structures, behavior patterns, and infrastructure overlap, indicating REvil either borrowed heavily from GandCrab or was built by the same actors.

Where GandCrab tested the waters, REvil went global—becoming infamous for executing large-scale ransomware campaigns with devastating speed and precision. It gained notoriety through attacks on:

JBS Foods (May 2021), which temporarily halted meat production across multiple continents.
Kaseya VSA (July 2021), a supply chain breach that infected over 1,500 downstream businesses via a single managed services platform.

Rather than going after isolated targets, REvil specialized in high-impact enterprise-level ransomware attacks, often coordinated to hit during holidays or off-hours to minimize response time and maximize damage.

REvil turned ransomware into a business—literally

REvil operated under a Ransomware-as-a-Service (RaaS) model, allowing affiliates—other cybercriminals—to lease the ransomware kit and execute attacks. In return, these affiliates handed over a cut of each ransom (typically 20–30%) to REvil’s core operators.

This model helped REvil scale rapidly. Affiliates ranged from lone operators with access to compromised credentials to advanced threat actors exploiting zero-day vulnerabilities. REvil’s platform provided them with:

A fully customizable ransomware builder
A back-end dashboard for tracking victims
Dark web portals for negotiation and payment

By distributing the work of infiltration, lateral movement, and negotiation to affiliates, REvil built a decentralized, industrial-scale ransomware operation—while shielding its core developers from direct attribution.

REvil didn’t just hit hard—it hit the right targets

REvil’s affiliate model wasn’t a free-for-all. Targets were strategically selected for their size, data sensitivity, or operational criticality. Industries hit hardest included:

Managed Service Providers (MSPs)
Healthcare and life sciences
Finance, law, and insurance
IT and industrial supply chain vendors

The ransomware was also geographically selective. It was engineered to avoid infecting systems in Russia and CIS countries, likely to stay out of reach of domestic law enforcement.

According to threat intelligence data:

REvil ransom demands typically ranged between $50,000 and $70 million.
Nearly a quarter of known victims were based in the United States, with others in Mexico, Germany, and Western Europe.
Many attacks targeted companies with cyber insurance, increasing the likelihood of payment.

REvil’s focus on big-game hunting, combined with double extortion tactics and a scalable delivery model, made it one of the most damaging ransomware operations in modern cybercrime history—and one of the most studied by security professionals worldwide.

How REvil Works Under the Hood: A Look at Its Core Payload Behavior

Understanding how REvil operates at the code level is critical to effective defense. Unlike less sophisticated ransomware variants, REvil was built for adaptability, stealth, and speed—hallmarks of a well-maintained Ransomware-as-a-Service (RaaS) toolset. Its payload isn’t a one-size-fits-all binary; it’s modular, configurable, and engineered for enterprise-scale disruption.

REvil’s Encryption Is Fast, Strong, and Designed for Scale

At its core, REvil uses a hybrid encryption model:

Salsa20 handles the symmetric encryption of files. It’s chosen for its speed and efficiency, especially on large volumes of data.
Each symmetric key is then encrypted with an attacker-controlled RSA-2048 or ECC public key, meaning victims can’t recover their files without the corresponding private key.

This two-layer encryption model ensures both performance and cryptographic strength, allowing REvil to encrypt vast numbers of files without noticeably degrading system performance—until it’s too late.

REvil’s Behavior Is Controlled Through a JSON Configuration File

One of REvil’s defining traits is its use of a JSON-formatted configuration file, embedded into the payload. This file governs nearly every aspect of the ransomware’s behavior:

Which file types to target
Which processes to terminate before encryption begins
Whether to target network shares or only local files
Whether to wipe shadow copies or disable Windows recovery features
Custom text for ransom notes and desktop wallpapers

This level of configurability makes REvil particularly dangerous in the hands of experienced affiliates, who can tailor each attack based on the environment they’re targeting—Windows workstations, servers, backups, or remote shares.

Persistence Ensures REvil Stays Put After Initial Execution

REvil ensures it survives a reboot or user intervention by establishing persistence in the following ways:

It creates scheduled tasks to re-launch the payload on system boot.
It sets registry keys under typical persistence paths (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to maintain execution across sessions.

This allows REvil to maintain its foothold in compromised systems long enough to complete file encryption, initiate exfiltration, or wait for user inactivity before triggering.

Command-Line Switches Give Attackers Flexible Deployment Options

REvil supports a variety of command-line arguments, giving operators control over how and where it executes:

-nolan – skips network share encryption
-nolocal – avoids encrypting files on local disks
-fast – prioritizes speed, encrypting only the beginning of large files
-full – enforces full file encryption, regardless of size

These switches make the ransomware adaptable to different operational goals. For example, an affiliate might use -fast to maximize disruption on high-volume file servers or -nolocal to avoid detection during lateral movement.

REvil Disables Defenses Before Making Its Move

Before encryption begins, REvil takes deliberate steps to evade detection and neutralize defenses:

It forcibly terminates processes related to databases, email servers, security tools, and backups (e.g., sqlservr.exe, vssadmin.exe, or endpoint protection agents).
It can execute PowerShell commands to disable antivirus services or Windows Defender components.
In some deployments, REvil disables system recovery features, deletes volume shadow copies, and modifies boot settings to prevent rollback.

These anti-forensics tactics ensure that by the time the ransom note appears, victims have few recovery options—unless they’re fully prepared with isolated, immutable backups.

REvil’s Ransomware Engine Is Powered by a Custom Configuration File

Beneath its encryption logic and lateral movement capabilities, REvil ransomware operates through a highly structured JSON configuration—effectively a playbook that tells the malware exactly how to behave in a given environment. This configuration is embedded directly into the payload and parsed on execution, enabling precise control over every phase of the attack.

This level of control isn’t accidental—it’s what makes REvil so dangerous. The config is designed to give affiliates campaign-level customization, whether the goal is to encrypt, exfiltrate, wipe, or evade.

What’s Inside REvil’s Configuration File

Here are some of the most critical keys observed in analyzed REvil samples, along with how they influence attack behavior:

Key	Purpose
dbg	Locale check that halts execution if the system language or keyboard layout matches a CIS country (e.g., Russian). A basic but effective evasion technique.
dmn	Lists one or more Command-and-Control (C2) domains used to report back to operators or exfiltrate data.
exp	Indicates whether to use local privilege escalation exploits (e.g., CVE-2018-8453). Helps gain SYSTEM-level access for broader file access and process killing.
fast	Enables a speed-optimized encryption mode. Useful when attackers want to impact more systems faster, especially across large file shares.
img	Sets a custom desktop wallpaper to reinforce the ransom demand post-encryption—often containing branding or payment instructions.
nbody	Stores the text content of the ransom note. Often includes instructions, a Tor portal address, and threats related to data exfiltration.
nname	Defines the name of the ransom note file dropped into each affected directory (e.g., README.txt).
net	Controls whether stolen data is exfiltrated to C2 servers before encryption. Used to enable double extortion attacks.
prc	Lists processes that should be terminated prior to encryption. Common targets include antivirus tools, backup agents, and database services.
wipe	Enables wiping of specific files or folders as part of an anti-recovery or data destruction tactic.
wfld	Defines folders to be wiped if wipe is enabled. Often includes backup directories or recovery volumes.
wht	Whitelist of file names, extensions, or paths that should be skipped during encryption. Helps avoid system instability or unintentional “bricking.”
pk	The public encryption key used to lock files. Each victim receives a unique payload with a unique key.
pid, sub	Tags used to track affiliate IDs and campaign variations—enabling REvil operators to manage revenue sharing.

Built for Campaigns, Not Just Chaos

This structured config file serves two primary purposes:

Affiliate Flexibility: REvil’s RaaS model means that different affiliates have different objectives. One might want fast encryption and no exfiltration (fast: true, net: false), while another could prioritize stealth, complete encryption, and public shaming. The configuration allows each instance to behave differently—despite sharing the same core payload.
Stealth and Control: By allowing granular control over things like process termination, file exclusions, and encryption scope, the config file helps REvil evade detection, prevent system crashes, and avoid encrypting decoy or honeypot files. Its use of language checks (dbg) and behavioral toggles (wipe, exp, net) also signals a deliberate effort to stay beneath the radar of certain jurisdictions.

REvil’s configuration file is more than an instruction set—it’s a tactical toolkit. This is what gives the malware its agility in enterprise environments and its ability to adapt in real time to new defenses, tools, and incident response protocols.

How REvil Gets In: Common Initial Access Techniques Used by Affiliates

REvil ransomware doesn’t rely on a single method to breach enterprise environments. Instead, it leverages a multi-pronged initial access strategy, enabling affiliates to adapt to the specific defenses, misconfigurations, or vulnerabilities within each target. These infection vectors—ranging from traditional phishing to complex supply chain compromise—highlight REvil’s tactical flexibility and make it especially difficult to contain.

Phishing Campaigns with Weaponized Attachments or Links

REvil affiliates frequently initiate attacks through spear-phishing emails containing malicious attachments or links to remote payloads. These messages often impersonate internal departments (e.g., HR or IT), vendors, or trusted partners, and may deliver:

Encrypted ZIP files or macros within Office documents
Downloaders or droppers that initiate contact with external C2 servers
Embedded payloads that exploit vulnerabilities or install additional malware (e.g., QakBot, TrickBot)

Once executed, the initial loader may download REvil directly or establish persistence for later deployment.

Exploiting Unpatched Vulnerabilities (CVE-Based Entry)

One of REvil’s most dangerous features is its use of known and zero-day vulnerabilities in enterprise-facing systems. Some of the most exploited CVEs include:

Kaseya VSA (CVE-2021-30116): Enabled remote code execution through manipulated authentication logic.
Citrix ADC/Gateway (CVE-2019-19781): Allowed arbitrary command execution on exposed appliances.
Pulse Secure VPN (CVE-2019-11510 / CVE-2019-11539): Permitted credential harvesting and remote access.
Fortinet FortiOS (CVE-2018-13379): Enabled unauthenticated access to sensitive system files and credentials.

These vulnerabilities were often weaponized in the wild before patch adoption, giving REvil affiliates access to high-value networks without user interaction.

Remote Desktop Protocol (RDP) and Credential-Based Attacks

REvil affiliates have historically targeted internet-exposed RDP endpoints, often using:

Brute-force attacks against weak or default credentials
Credential stuffing from leaked databases
NTLM hash reuse from prior compromises

Once authenticated, attackers disable logging, create persistence mechanisms, and deploy REvil manually or through living-off-the-land binaries like PsExec or PowerShell.

Poorly secured RDP remains a common weak point, especially in smaller enterprise branches and MSPs.

Supply Chain Infiltration: The Kaseya VSA Breach

Perhaps the most devastating REvil campaign to date was the Kaseya VSA supply chain attack. In July 2021, REvil affiliates compromised Kaseya’s update mechanism, deploying ransomware via:

A malicious fake update pushed to VSA servers
Downstream infections to over 1,500 businesses using Kaseya’s software
Automated execution of REvil payloads through agent scripts

This incident demonstrated how REvil could amplify its reach exponentially by compromising upstream software providers, especially those serving MSPs or IT management platforms.

Trojanized Hotfixes and Fake Software Updates

Beyond high-profile supply chain attacks, REvil has also been delivered through malicious software disguised as system patches or hotfixes. In these cases:

Payloads are packaged as Windows updates or security tools
Victims are tricked into executing them manually via phishing or impersonation
Alternatively, they are silently deployed via hijacked update mechanisms

These tactics exploit user trust in update notifications and IT communications—especially when the payload is signed or masquerades as legitimate software.

Revil ransomware’s initial access methods reflect its professional-grade tooling and affiliate flexibility. Whether it’s exploiting unpatched CVEs, social engineering through phishing, or hijacking trusted supply chains, REvil affiliates are well-equipped to bypass perimeter defenses and pivot deep into enterprise networks.

What Happens After REvil Ransomware Gets In: Tools and Techniques for Lateral Movement

Once inside a network, REvil affiliates don’t immediately launch the ransomware payload. Instead, they conduct structured reconnaissance, elevate privileges, and move laterally across systems to maximize damage and identify valuable data. This post-exploitation phase leverages a mix of off-the-shelf admin tools, repurposed malware frameworks, and native Windows functionality—making detection difficult without deep visibility.

Here’s how REvil ransomware attack spreads and escalates within compromised environments.

REvil Ransomware Uses Living-Off-the-Land Tools to Blend In

Rather than relying solely on custom malware, REvil affiliates frequently use legitimate system administration tools to avoid detection:

PsExec (Sysinternals): Used to execute remote commands or deploy payloads across machines with administrative access.
PowerShell: Executes scripts for enumeration, privilege escalation, persistence, or antivirus evasion.
Windows Management Instrumentation (WMI): Harvests system and user data or facilitates lateral movement without triggering obvious alerts.
RDP: Frequently used post-access for hands-on intrusion, especially after brute-forcing credentials.

These tools are commonly allowed in enterprise environments and often overlooked by traditional signature-based antivirus, giving REvil stealth and reach.

Cobalt Strike, QakBot, and TrickBot Extend Revil Ransomware’s Capabilities

In many cases, REvil is not the first payload to arrive. Instead, the attack begins with malware loaders or penetration testing frameworks designed to stage the environment:

QakBot (Qbot) and TrickBot: These modular banking trojans and loaders establish backdoors, harvest credentials, and deploy additional payloads—including REvil.
Cobalt Strike: A legitimate red-teaming tool repurposed by threat actors to gain shell access, move laterally, and maintain persistence. REvil affiliates often use cracked or pirated versions.

These frameworks make REvil attacks multi-stage and highly adaptable, allowing attackers to fine-tune their approach based on the network’s defenses and layout.

Credential Dumping and Token Abuse for Escalation

Privilege escalation is a key phase before encryption. REvil affiliates typically aim for DOMAIN ADMIN or SYSTEM-level access using techniques such as:

LSASS memory scraping with tools like Mimikatz to harvest plaintext passwords and NTLM hashes.
Token impersonation to access sensitive systems using stolen session credentials.
Pass-the-Hash (PtH) or Pass-the-Ticket (PtT) attacks in Active Directory environments.

With escalated privileges, attackers can disable EDR solutions, manipulate backups, and ensure widespread deployment of the ransomware payload.

Data Exfiltration Tools Like FileZilla Enable Double Extortion

REvil’s double extortion model hinges on data exfiltration prior to encryption. Affiliates commonly use:

FileZilla: A lightweight FTP client used to upload sensitive documents to attacker-controlled servers.
Rclone or custom scripts: For bulk data transfer to cloud storage or self-hosted C2 infrastructure.
WinSCP: Another GUI-based file transfer utility often run in headless or silent mode.

This data is then weaponized to increase pressure during negotiations—often posted or previewed on REvil’s dark web leak site (known as the Happy Blog).

Lateral Movement Prepares the Network for Maximum Impact

Before launching the final payload, REvil affiliates perform aggressive lateral movement to reach file servers, databases, and backup repositories:

Network shares are scanned for sensitive data or unprotected endpoints.
Admin credentials are used to propagate the ransomware manually or via scripts.
Remote access software (TeamViewer, AnyDesk) may be installed for persistent control.

This lateral expansion phase is often invisible to users and sometimes lasts days or weeks—allowing attackers to coordinate encryption across hundreds or thousands of systems in one synchronized detonation.

Revil ransomware’s post-access strategy is deliberate, multi-layered, and difficult to stop once it’s in motion. By combining commodity malware, built-in Windows tools, and enterprise knowledge, affiliates achieve maximum coverage and control before encryption even begins.

What Happens During a REvil Ransomware Attack: Execution, Impact, and Disruption at Scale

Once inside the network, REvil ransomware (also known as Sodinokibi) operates with ruthless precision. By the time files begin to encrypt, the groundwork has already been laid: credentials stolen, backups disabled, and data quietly exfiltrated. This is not smash-and-grab malware. It’s the final stage of a planned, high-impact campaign designed to maximize leverage and force ransom payment—not just through encryption, but public exposure.

Here’s how a Sodinokibi ransomware attack unfolds during its execution phase.

REvil Doesn’t Just Encrypt Files—It Steals Them First

At the core of REvil’s strategy is double extortion ransomware. Before any encryption occurs, the malware scans the victim’s environment for high-value files:

Sensitive data (contracts, PII, financials)
Intellectual property or internal communications
Customer data, source code, or legal documents

This data is quietly exfiltrated using FTP clients or custom scripts and uploaded to attacker-controlled infrastructure. Victims are then warned: pay up, or your data will be published—usually on REvil’s notorious leak portal known as the Happy Blog, hosted on the dark web.

This gives attackers enormous leverage. Even if a company has reliable backups, the threat of public exposure—regulatory fines, customer attrition, reputational damage—often forces payment.

File Discovery and Smart Encryption Mechanics

Once exfiltration is complete, REvil ransomware begins encrypting files across targeted systems. The malware is tuned for both speed and precision:

Files are filtered by type, size, or location. Documents, spreadsheets, databases, and archives are prime targets.
System-critical files (e.g., .dll, .sys) and directories are skipped to avoid bricking machines.
Some variants use fast mode encryption (partial encryption of large files) to disrupt operations more quickly.

Notably, Sodinokibi ransomware is designed to exclude systems in Russia and CIS nations. Language and locale checks embedded in the payload cause the malware to self-terminate if it detects a Russian keyboard or system language—reinforcing the theory that REvil operators are Russian-speaking or operating with implicit regional protections.

Customized Ransom Note Delivery and Payment Infrastructure

Once encryption is complete, REvil drops a ransom note in every affected directory, often named README.txt or using a custom filename configured in the JSON payload.

Each note includes:

A unique victim ID
A Tor-based portal URL for negotiation
Payment instructions (usually in Monero, a privacy-centric cryptocurrency)
Deadlines and escalating threats—such as auctioning stolen data

REvil’s dark web portal includes live chat functionality, allowing attackers to negotiate directly with victims or their incident response teams. Victims are sometimes offered decryptor samples or discounts for early payment, but non-compliance is often met with escalating pressure—including contacting media outlets or customers.

Public Shaming on Leak Sites and Media Pressure Campaigns

REvil ransomware’s psychological impact is just as strategic as its technical execution. If a victim refuses to pay:

Their stolen data may be published or auctioned on the Happy Blog.
The company’s name, logo, and sample files are listed publicly as proof.
In some cases, attackers directly contact customers, employees, or journalists, amplifying the pressure to comply.

This ransomware leak site model, pioneered by Sodinokibi and a few others, transformed the economics of ransomware. It turns encryption from a disruption into an existential threat—forcing organizations to weigh the risk of long-term reputational and legal damage against ransom payments.

Who REvil Ransomware Targets and Why: A Look into Its Victim Profile and Targeting Strategy

The REvil ransomware campaign—also known as Sodinokibi ransomware—was never about indiscriminate attacks. From the outset, REvil’s affiliate-driven model focused on strategic victim selection: organizations with deep pockets, valuable data, and a low tolerance for operational disruption. This “big-game hunting” approach allowed affiliates to demand—and often receive—multi-million-dollar ransoms while creating ripple effects across entire industries.

REvil Ransomware Went After the Right Targets, Not Just Any Targets

Unlike spray-and-pray ransomware campaigns, REvil focused on high-value enterprise environments where disruption would be costly and visible. Affiliates were encouraged to pursue:

Managed Service Providers (MSPs) – Breaching one MSP could yield access to dozens or hundreds of client networks.
Healthcare providers – Hospitals and clinics are time-sensitive, data-rich, and often poorly defended.
Financial institutions – Banks, fintech platforms, and insurance companies are lucrative and often under intense compliance pressure.
Legal, IT, and consulting firms – Organizations that handle sensitive client data, intellectual property, and proprietary documentation.
Critical infrastructure operators – Including manufacturers, logistics firms, and energy companies whose downtime affects large sectors.

These REvil ransomware targets were often hand-picked following weeks of reconnaissance, credential theft, or vulnerability scanning. Affiliates chose them not only for ransom potential but for their likelihood to pay—due to data sensitivity, service-level obligations, or cyber insurance coverage.

Geopolitical Boundaries Were Built into the Malware

REvil’s code includes built-in safeguards to avoid infecting systems in Russia and former Soviet states (Commonwealth of Independent States or CIS). This is not uncommon among Russian-speaking cybercrime groups, as targeting domestic systems often draws unwanted attention from local authorities.

Localization checks within the REvil payload search for:

Russian keyboard layouts (ru-RU)
System locales associated with CIS countries
Installed language packs

If a match is found, the ransomware self-terminates, avoiding encryption entirely. This selective targeting strategy suggests a clear intent to focus attacks on Western organizations while sidestepping regional political friction.

Sodinokibi Ransomware Attacks Didn’t Discriminate by Size—Only by Impact

While large enterprises were frequent targets, small and mid-sized businesses (SMBs) were far from immune. In particular:

Companies with weak IT controls, exposed RDP ports, or unpatched software
Organizations relying on MSPs (who became indirect targets)
Victims of supply chain breaches (e.g., Kaseya VSA customers)

In many cases, REvil ransomware attacks impacted dozens or hundreds of companies simultaneously—not through direct compromise, but via an upstream supplier or third-party tool.

One striking example: the 2021 Kaseya attack infected more than 1,500 downstream businesses, many of them SMBs, through a single software update mechanism. It showcased how REvil could weaponize trust relationships for scale—regardless of company size.

The Role of Affiliates in Target Selection

REvil’s RaaS model placed much of the targeting responsibility in the hands of affiliates. While core operators provided the encryption engine, back-end infrastructure, and payment portals, affiliates handled:

Victim discovery and profiling
Credential harvesting and vulnerability exploitation
Payload deployment and lateral movement

This affiliate structure introduced operational variability. Some affiliates were sophisticated actors using zero-day exploits; others relied on phishing kits or leaked credentials. As a result, REvil campaigns ranged from targeted intrusions to opportunistic breaches.

Still, the common thread was clear: maximize pressure, maximize payout. Whether through data theft, critical disruption, or reputational damage, REvil affiliates knew exactly how to make ransomware feel existential.

How REvil Ransomware Gang Was Dismantled: The Takedown, Arrests, and Lingering Threats

After two years of high-profile attacks and escalating ransom demands, the REvil ransomware operation—also known as Sodinokibi ransomware—came under direct pressure from international law enforcement. What followed was a rare, coordinated push to disrupt one of the most dangerous ransomware-as-a-service (RaaS) ecosystems the cybersecurity world had ever seen.

While REvil’s infrastructure was eventually dismantled, its techniques, code, and affiliates continue to influence the threat landscape.

Global Law Enforcement Coordinated to Take Down REvil Ransomware Gang

In late 2021 and early 2022, REvil’s infrastructure came under attack—not from cybersecurity vendors, but from multinational law enforcement agencies. This included coordinated efforts by:

The U.S. Department of Justice (DOJ)
The FBI
Europol
Cybercrime divisions in Germany, France, and South Korea
Russia’s FSB, which played a surprising and rare role in the operation

The FBI reportedly gained access to one of REvil ransomware’s Tor servers, collecting decryption keys and intelligence on the group’s operations. Shortly after, authorities began seizing servers, arresting affiliates, and shutting down access to REvil’s dark web portals—including the group’s leak site, known as the Happy Blog.

This marked one of the most aggressive international responses to a ransomware operation in history.

Key Affiliates Were Arrested—and the Money Was Tracked

Multiple arrests followed across several jurisdictions:

A 22-year-old REvil affiliate was arrested in Poland at the request of U.S. prosecutors.
Romanian authorities detained two more operators involved in Sodinokibi deployments.
The FSB arrested 14 individuals in Russia, reportedly seizing more than $6 million in cryptocurrency, luxury cars, and dozens of digital wallets tied to ransomware transactions.

These arrests not only disrupted operations, but also sent a clear message: financial anonymity in ransomware is not absolute. Chain analysis and blockchain forensics tools continue to improve, enabling agencies to track illicit crypto flows across wallets and exchanges.

A Universal REvil Ransomware Decryptor Helped Victims Recover

In parallel with the takedown efforts, the cybersecurity firm Bitdefender, working with law enforcement, released a universal REvil decryptor. This tool was developed using keys obtained during the FBI’s covert access to REvil servers and allowed thousands of victims to recover their encrypted data without paying ransom.

This development was a rare win in the fight against ransomware—a technical and operational setback for REvil and a financial loss for its remaining affiliates.

But REvil Ransomware’s Code Lives on Through Copycats and Successor Groups

Although the Sodinokibi ransomware infrastructure was dismantled, its codebase has resurfaced in other ransomware families. Analysts have observed variants that:

Use REvil’s encryption logic and configuration schema
Mimic the same command-line interface and payload customization
Retain similar ransom note formatting and Tor-based payment portals

Some researchers suggest that REvil’s original developers—or experienced affiliates—have rebranded under new names or joined other active ransomware groups. The tactics, techniques, and procedures (TTPs) pioneered by REvil now serve as a blueprint for newer operations like BlackMatter, DarkSide, and Alphv/BlackCat.

As a result, defenders should remain vigilant. Even if REvil is “dead,” its legacy is alive in the tools and playbooks of current threat actors.

How to Prevent Data Loss in a REvil Ransomware Attack: Air-Gapped and Immutable Backups, and Automated Protection

When it comes to ransomware like REvil (Sodinokibi), the question is no longer if an attack will happen—but when. Given REvil’s reputation for data encryption, exfiltration, and double extortion, the most effective defense is not detection alone—it’s resilient, isolated, and recoverable data. That means adopting a backup and disaster recovery (DR) strategy that attackers can’t see, reach, or alter.

Air-Gapped and Immutable Backups Are the Gold Standard

In a typical REvil ransomware attack, one of the first objectives after gaining access is to disable or encrypt existing backups. This eliminates a company’s ability to restore systems without paying the ransom. To counter this, two technologies are critical:

Air-Gapped Backups: These are backups that are completely isolated from the production environment—either physically (offline) or logically (disconnected over time or via network segmentation). REvil ransomware can’t encrypt what it can’t reach.
Immutable Storage: Even if an attacker does reach a backup volume, immutability ensures the data can’t be altered, deleted, or encrypted for a fixed retention period. This protection is enforced at the storage layer, beyond the control of admin credentials or malware.

When implemented together, air-gapping and immutability form a ransomware-proof safety net—ensuring recovery is always possible without negotiating with criminals.

Automation Is Not Optional—It’s a Requirement

REvil ransomware gang affiliates operate quickly. In some cases, files are exfiltrated and encrypted within hours of initial access. Manual backup workflows are no match for this speed. To defend against sophisticated ransomware attacks, automation is key:

Scheduled, policy-based backups ensure regular recovery points without human error.
Automated air-gapping reduces exposure windows between backup jobs and vaulting.
Real-time immutability enforcement guarantees that even insiders or compromised credentials can’t tamper with backup sets.

With automation in place, enterprises can reduce RTO/RPO to hours or minutes—minimizing downtime and eliminating the pressure to pay ransoms.

Why StoneFly Delivers the Industry’s Strongest Ransomware Defense

StoneFly is the only vendor on the market offering a backup and disaster recovery solution with a fully integrated, patented Air-Gapped Vault® that is both:

Physically or logically air-gapped
Immutable at the storage and backup policy level

This combination is designed specifically to protect against ransomware like REvil/Sodinokibi, which targets backups as a first priority. StoneFly’s solution includes:

Automated air-gap enforcement with scheduling, snapshots, and vaulting
Write-once, read-many (WORM) immutability
Support for all major platforms and cloud targets
Rapid recovery from ransomware without data loss or payment

Whether deployed on-prem, in hybrid clouds, or in the StoneFly private cloud, this approach ensures that even if your network is compromised, your backups are not.

Conclusion

REvil ransomware may have been disrupted, but its tactics—and its successors—aren’t going anywhere. The most effective defense isn’t just about stopping the breach, but ensuring your data is untouchable, unchangeable, and always recoverable.

StoneFly’s air-gapped and immutable backup and disaster recovery solution is the only one on the market with a built-in, patented Air-Gapped Vault that attackers can’t reach or modify.

Stop ransomware from turning into downtime, lost revenue, or data loss.
Schedule a demo with StoneFly and see how to make your backups ransomware-proof—before it’s too late.