REvil
Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom, and the Colonial Pipeline-era spike of double-extortion. The operation went dark in mid-July 2021 following intense U.S. pressure, briefly returned in September 2021, and was decisively disrupted on 14 January 2022 when Russia's FSB announced raids and arrests of 14 REvil members at the U.S. government's request — the first and last such cooperation.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Tools & malware
1 entryTimeline
2 events- SanctionHigh2022-01-14·Federal Security Service of the Russian Federation
Russia's FSB announces arrest of 14 REvil members at U.S. request
Russia's Federal Security Service announced raids across 25 addresses, the arrest of 14 individuals identified as REvil members, and the seizure of 426 million roubles, $600,000, €500,000, cryptocurrency wallets, 20 luxury vehicles, and computer hardware. The FSB stated the action was taken at the request of the U.S. government — the first and last such public ransomware-takedown cooperation. Russia subsequently withdrew the cases after the February 2022 invasion of Ukraine.
takedownransomwarerussiaarrest - CompromiseCritical2021-07-02·CISA
REvil Kaseya VSA supply-chain ransomware compromise
REvil affiliates exploited a zero-day authentication bypass in Kaseya's VSA RMM platform (CVE-2021-30116) and pushed a malicious update to ~60 managed service providers, encrypting an estimated 1,500 downstream customer networks in a single weekend. REvil initially demanded a $70M lump-sum decryptor; Kaseya later obtained a universal decryptor key from an undisclosed source. The operation triggered the U.S. pressure that led to REvil's mid-July 2021 disappearance and to the FSB's January 2022 arrest of 14 alleged members.
supply-chainmspransomwarezero-day
Indicators of compromise
2 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| Name | family · REvil Malware family DOJ identified by name in the November 8, 2021 unsealed indictment of Ukrainian national Yaroslav Vasinskyi as the payload deployed through the Kaseya VSA agent on July 2, 2021. Vasinskyi was sentenced May 1, 2024 to 13 years 7 months and $16M restitution. | Jul 1, 2021 | DOJ |
| Name | family · REvil Sodinokibi/REvil encryptor DLL side-loaded by a renamed MsMpEng.exe in the July 2, 2021 Kaseya VSA supply-chain compromise. Vasinskyi was indicted Nov. 8, 2021 by DOJ for deploying this code through Kaseya's auto-update channel to roughly 1,500 downstream customers. | Jul 1, 2021 | DOJ |
Related actors
shared ATT&CK techniques- RU · Russia8Base3 shared techniques
- ?? · UnknownAkira3 shared techniques
- ?? · UnknownALPHV/BlackCat3 shared techniques
- RU · RussiaDarkSide3 shared techniques
- ?? · UnknownHive3 shared techniques
- RU · RussiaINC Ransom3 shared techniques
References
cite this page
Threat Intel Tracker. (2026-05-19). REvil — actor profile. Retrieved from https://threatintel.local/actors/revil