What is REvil ransomware?

Who or what is REvil?

“REvil” is the name of a “ransomware-as-a-service” operation in which a core group of hackers create and maintain a powerful piece of malware that they can distribute to other hackers – for a price. Lower criminals called “affiliates” can then use this malware to launch dangerous attacks.

In REvil’s case, the core team would demand a 40% cut for offering their versatile ransomware and support. However, researchers later discovered that the core team had left a backdoor in the ransomware that would allow them to chat with the victim and arrange a ransom payment while bypassing the affiliate attacker.

Some reports use the name REvil to refer to a criminal operation allegedly disrupted by the Russian FSB in early 2022. Indeed, many analysts believe that the group maintaining REvil is also Russian-speaking and Russia-based. However, it appears that the group arrested in Russia were probably affiliates. They may have been significant, as their disruption did have an impact on global attack frequency, but the attacks haven’t gone away entirely.

How does REvil work?

At its core, REvil works like most other ransomware. After getting onto the victim’s device, it encrypts their files with a key that only the hackers have. With the victim at their mercy, they can then demand a ransom for the victim to get their files back.

REvil, however, has caught analysts’ attention for two reason:

1. Brazen attacks: REvil and its affiliates have been attacking high-profile targets and getting away with significant ransoms. Some of their most significant targets included:

   • Lady Gaga;
   • A law firm working for Donald Trump;
   • Acer;
   • Apple;
   • JBS (a major US meat producer that wound up paying an $11 million USD ransom);
   • Kaseya (a major business service provider whose attack affected thousands of companies);
   • HX5 (a space- and weapon-tech contractor that works with the US Army, Navy, Air Force and NASA);

   Again, these aren’t all of the attacks, only some of the biggest or most visible ones.

2. Effectiveness: In addition to being widely distributed and used, the ransomware is also quite successful. As has been the case in other ransomware-as-a-service situations, the malware has been adapted to different significant targets or delivered as the payload of a complex attack, improving its chances of success.

What happened to REvil?

It isn’t yet fully clear whether REvil attacks have subsided. However, a number of significant members of the core group were arrested following several significant international law enforcement operations. The group’s operations have been declawed in other ways as well.

• In September 2021, Bitdefender published a decryption key that allowed companies hit by REvil malware before a certain date to decrypt their files and avoid paying a ransom.
• In October 2021, an internationally coordinated attack took many of the group’s servers and backup servers offline.
• In November 2021, international law enforcement cooperation led to the arrests of 7 people linked to REvil and a similar ransomware group;
• In January 2022, Russian law enforcement arrested the group’s members and seized their assets.

In addition to having an impact on REvil attacks specifically, researchers have observed cooling interest in other ransomware and hacker groups as well. A number of key members of other groups have left, presumably fearing the repercussions of international legal scrutiny.