From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation.[1] After an attack, REvil would threaten to publish the infomation on their blog 'Happy Blog' unless the ransom is received. The ransomware code used by REvil resembles ransomware software used by DarkSide, a different hacking group. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products.


REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments.[2] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.[3]

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.[4] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.



As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it.[5][6][7] The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump.[8][9] The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data.[10] According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed.[11] In the same interview, the member claimed that they would bring in $100 million in ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga.[12] The following day they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.[13]

They were planning on selling Madonna's information,[14] but eventually reneged.[15]



On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.[16]

On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.[17]


In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer which is said to include plans for a pair of Apple laptops, a new Apple Watch and a new Lenovo ThinkPad. REvil threatened to release the plans publicly unless they receive $50 million.[18][19]


On 30 May, JBS S.A. was attacked by a ransomware. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection on a follow-up statement on Twitter.[20] JBS paid a $11 million ransom in Bitcoin to REvil behind an attack that forced the shutdown last week of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants.


  1. ^ "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - The All-Stars". McAfee Blogs. 2019-10-02. Retrieved 2020-10-07.
  2. ^ "Sodinokibi Ransomware: Following the Affiliate Money Trail". BleepingComputer. Retrieved 2020-10-07.
  3. ^ Saarinen, Juha (January 29, 2020). "No let up on REvil ransomware-as-a-service attacks". it news.
  4. ^ Vijayan, Jai (September 25, 2019). "GandCrab Developers Behind Destructive REvil Ransomware". DARKReading.
  5. ^ Cimpanu, Catalin. "Ransomware gang asks $42m from NY law firm, threatens to leak dirt on Trump". ZDNet. Retrieved 2020-05-17.
  6. ^ Winder, Davey. "Hackers Publish First 169 Trump 'Dirty Laundry' Emails After Being Branded Cyber-Terrorists". Forbes. Retrieved 2020-05-17.
  7. ^ Sykes, Tom (2020-05-15). "'REvil' Hackers Double Their Allen Grubman Ransom Demand To $42m, Threaten To Dump Donald Trump Dirt". The Daily Beast. Retrieved 2020-05-17.
  8. ^ "Criminal group that hacked law firm threatens to release Trump documents". NBC News. Retrieved 2020-05-17.
  9. ^ Adler, Dan. "What Do These Hackers Have On Trump, and Why Would Allen Grubman Pay to Suppress It?". Vanity Fair. Retrieved 2020-05-17.
  10. ^ "Forbes".
  11. ^ Seals, Tara (October 29, 2020). "REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down". threatpost.
  12. ^ Dazed (2020-05-16). "Hackers have leaked Lady Gaga's legal documents". Dazed. Retrieved 2020-05-17.
  13. ^ Winder, Davey. "Hackers Publish First 169 Trump 'Dirty Laundry' Emails After Being Branded Cyber-Terrorists". Forbes. Retrieved 2020-05-17.
  14. ^ Coble, Sarah (2020-05-19). "REvil to Auction Stolen Madonna Data". Infosecurity Magazine. Retrieved 2020-07-17.
  15. ^ Coble, Sarah (2020-09-23). "Thieves Fail to Auction Bruce Springsteen's Legal Documents". Infosecurity Magazine. Retrieved 2020-12-10.
  16. ^ "Evidence suggests REvil behind Harris Federation ransomware attack". IT PRO. Retrieved 2021-04-30.
  17. ^ "Computer giant Acer hit by $50 million ransomware attack". BleepingComputer. 19 March 2021. Retrieved 2021-03-20.
  18. ^ "Ransomware hackers steal plans for upcoming Apple products". the Guardian. 2021-04-22. Retrieved 2021-04-22.
  19. ^ "A Notorious Ransomware Gang Claims to Have Stolen Apple's Product Designs". Gizmodo. Retrieved 2021-04-22.
  20. ^ "FBI Statement on JBS Cyberattack". Twitter. 2021-06-02. Retrieved 2021-06-03.