No, that’s not a typo.
REvil ransomware might look and sound strange, but it’s a common weapon used by cybercriminals to target unsuspecting businesses, steal sensitive data, and extort money from companies. Many businesses fear falling victim to a REvil ransomware attack—and for good reason.
So, what is REvil ransomware, exactly? Let’s take a look.
REvil (ransomware evil), also known as Sodin and Sodinokibi, is an ambitious criminal ransomware-as-a-service (RaaS) enterprise group that rose to fame in 2019. RaaS groups maintain the code while other groups, known as affiliates, spread the ransomware. Researchers and security firms have linked REvil as a strain of GandCrab, another RaaS group that was wildly popular in 2018.
REvil gained notoriety for stealing sensitive, unencrypted data from computers and networks—then demanding large payments from victims. It’s actively promoted on cybercrime forums as the best choice for attacking business networks (which is a highly lucrative option for cybercriminals).
REvil adjusts its ransom requests based on the annual revenue of the organization or “victim” they are targeting. Their requests have ranged between $1,500 and $42 million, with cybercriminals demanding up to 9% of the victim’s yearly revenue. In 2020, IBM researchers estimated REvil’s annual profits were nearly $81 million.
Now that you have an understanding of REvil as a group, what is REvil ransomware?
REvil ransomware is a file-blocking virus that encrypts files after infection and shares a ransom request message. The message explains that you must pay a ransom in bitcoin—and if it’s not paid in time, the demand doubles. To make matters worse, a countdown timer indicates when data leaks will be made public, putting added pressure on companies who have fallen victim to an attack.
If REvil’s demands aren’t met, they threaten to release the stolen data by auctioning it off on its website “The Happy Blog”. It lists recent victims of REvil and shows a snippet of the stolen data as proof that the information has been stolen from various organizations.
REvil ransomware is one of the ransomware programs deployed during human-operated ransomware campaigns. After breaking in, hackers use tools and techniques to map the network, gain access to other internal systems, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize their impact.
The ransomware is distributed through phishing emails and kills processes on the infected machines, like email and other database servers, Microsoft Office programs, browsers, and tools that keep important files backed up. It also deletes Windows copies of files and other backups to prevent file recovery.
REvil ransomware stands apart from other types of ransomware programs through its use of Elliptic-Curve Diffie-Hellman key exchange. These cryptographic algorithms use shorter keys and are highly efficient, making them harder to crack.
Wondering how to protect yourself and your web assets from REvil ransomware? Here are a few security measures to keep in mind:
Now that you have an understanding of what REvil ransomware is, learn more about protecting your web assets and defending against cybercriminals. Read “What is Ransomware?” to discover how hackers hold sites hostage—and which four steps can help ensure yours isn't one.