REvil (also called Sodinokibi) was a Russian-speaking ransomware-as-a-service (RaaS) operation that emerged in April 2019, widely viewed as a successor to the GandCrab group. Under the RaaS model, REvil's core developers licensed their ransomware to affiliates, who carried out intrusions and split proceeds — typically with affiliates keeping the larger share. The group pioneered "double extortion," encrypting victim data while also exfiltrating it and threatening publication on a leak site known as the Happy Blog.
REvil was linked to several of the most consequential ransomware incidents on record:
- Travelex (December 2019 – January 2020), forcing the foreign-exchange firm offline during the holiday season.
- JBS Foods (May 2021), the world's largest meat processor, which disclosed paying roughly $11 million in Bitcoin to restore operations.
- Kaseya VSA (July 2021), a supply-chain attack exploiting a zero-day in Kaseya's remote-management software that propagated ransomware to an estimated 1,500 downstream businesses across multiple countries.
The Kaseya incident drew direct attention from the White House, with President Joe Biden raising ransomware with President Vladimir Putin at their June 2021 Geneva summit and in a subsequent July call. In mid-July 2021, REvil's infrastructure abruptly went dark. The group briefly resurfaced in September 2021 before a multinational law-enforcement operation, reported to involve the FBI and U.S. Cyber Command, took its Tor sites offline in October 2021.
In January 2022, Russia's Federal Security Service (FSB) announced arrests of alleged REvil members at the request of U.S. authorities — an unusual instance of Russian cooperation that largely stalled after the February 2022 invasion of Ukraine. The U.S. Department of Justice separately indicted Ukrainian national Yaroslav Vasinskyi, who was extradited and in 2024 sentenced to over 13 years in prison for his role in the Kaseya attack.
REvil is frequently cited in policy debates over ransom payment bans, cryptocurrency tracing, and the limits of cyber diplomacy with Moscow.
Example
In July 2021, REvil affiliates exploited a zero-day in Kaseya's VSA software to deploy ransomware to roughly 1,500 downstream businesses, prompting President Biden to press President Putin on ransomware safe havens.
Frequently asked questions
No. Its infrastructure was taken offline in October 2021 by a multinational law-enforcement operation, and Russia's FSB announced arrests of alleged members in January 2022. No credible successor branded as REvil has operated since, though some affiliates likely migrated to other ransomware groups.
Keep learning