REvil / Sodinokibi Ransomware: Threat Actor Profile
REvil (Sodinokibi) defined the big-game-hunting ransomware era of 2019-2021, culminating in the Kaseya and JBS attacks and $700M+ in ransom demands before a multinational takedown. A full threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
REvil, also known as Sodinokibi, became the emblematic 'big-game hunting' ransomware brand of 2019–2021. Descended from the GandCrab operation, it ran an affiliate ransomware-as-a-service (RaaS) model, culminating in the JBS Foods and Kaseya attacks that triggered a multinational law-enforcement response.
REvil: at a glance
- Aliases: Sodinokibi, Sodin, REvil (descended from the GandCrab lineage)
- Country / affiliation: Russian-speaking cybercriminal ecosystem
- Assessed status (as of July 2026): Brand largely inactive
- Primary objectives: Pure criminal extortion through affiliate-run RaaS and double extortion
- Financial destruction / gain: >$700 million in ransom demands tied to the conspiracy charged by the DOJ; one affiliate participated in more than 2,500 attacks
- Type: ransomware-as-a-service (RaaS) (double-extortion ransomware)
Who is REvil?
The U.S. DOJ said one conspiracy participant used REvil in more than 2,500 attacks and demanded over $700 million in ransom. By 2026 the brand is best assessed as largely inactive, though later code reuse and short-lived revival claims muddied the picture.
Aliases and attribution
REvil operated within the Russian-speaking cybercrime ecosystem as a classic threat actor, renting its ransomware to affiliates who carried out intrusions. Attribution to specific individuals came through arrests and a 2021–2022 Russian crackdown; Unit 42 later documented possible revival claims and code reuse, complicating any clean 'defunct' label.
Financial impact and damage
The DOJ tied the REvil conspiracy to more than $700 million in ransom demands. The 2021 Kaseya attack exploited a supply-chain attack in the Kaseya VSA platform to push ransomware to thousands of downstream businesses at once, and the JBS meat-processing attack reportedly ended in an $11 million payment. REvil's affiliate model and GandCrab lineage seeded much of the modern ransomware statistics landscape.
REvil timeline
- 2019: REvil / Sodinokibi emerges from the GandCrab lineage
- 2020: Big-game hunting accelerates against large enterprises
- 2021: JBS and Kaseya watershed campaigns; infrastructure forced offline
- 2022: Brief revival claims and arrests in Russia
- 2026: Brand assessed as largely inactive / defunct
Notable attacks and campaigns
The Kaseya VSA attack (July 2021) was a landmark supply-chain ransomware event, hitting managed service providers and their clients simultaneously. The JBS attack disrupted a major portion of North American meat processing. Both put ransomware on national-security agendas and drew a coordinated international takedown.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1134.001 / .002 — Access Token Manipulation: MITRE notes REvil can steal the token of the user that launched explorer.exe and relaunch itself with admin rights via runas. Alert on token theft and unexpected runas child-process trees.
- T1490 — Inhibit System Recovery: REvil consistently deletes backups and shadow copies before encryption. Alert on vssadmin, wbadmin, and bcdedit shadow-copy deletion at scale.
- T1486 — Data Encrypted for Impact: REvil's model was encryption plus leak-site extortion, visible through Kaseya. Block lateral movement paths and watch for sudden multi-host encryption bursts.
Detection and defense against REvil
REvil's playbook — steal, delete backups, then encrypt — is shared by most modern RaaS, so its defenses generalize:
- Protect the backup plane and alert on mass shadow-copy deletion (vssadmin, wbadmin, bcdedit).
- Harden and monitor remote-management platforms (RMM/MSP tooling) that enable supply-chain reach.
- Segment networks to block lateral movement and sudden multi-host encryption.
- Detect exfiltration-before-encryption and archive staging as early-warning signals.
- Patch internet-facing systems fast and enforce MFA on remote access.
The bottom line
REvil defined the big-game ransomware era; even with its brand disrupted, its GandCrab lineage and affiliate model live on in today's RaaS ecosystem. See how REvil ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is REvil ransomware?
REvil (also called Sodinokibi) was a Russian-speaking ransomware-as-a-service operation active from 2019 to 2021, known for big-game hunting and the Kaseya and JBS supply-chain attacks.
How much money did REvil make?
The U.S. DOJ tied the REvil conspiracy to more than $700 million in ransom demands across 2,500+ attacks. Individual payments included a reported $11 million from JBS.
Is REvil still active?
No — the brand is largely inactive after 2021-2022 arrests and takedowns, though researchers have documented code reuse and short-lived revival claims that complicate a clean 'defunct' label.
What was the Kaseya attack?
In July 2021, REvil exploited a vulnerability in the Kaseya VSA remote-management platform to push ransomware to thousands of downstream businesses through managed service providers — a landmark supply-chain ransomware attack.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: