.png)
REvil/Sodinokibi Ransomware Group Profile
Breach Summary
REvil — also known as Sodinokibi — was the dominant ransomware threat of 2019-2021, responsible for attacks on JBS Foods, Kaseya VSA, Acer, and dozens of other high-profile organizations. The group pioneered aggressive extortion tactics and operated the most professionally organized ransomware-as-a-service platform of its era. REvil was disrupted twice by law enforcement — in mid-2021 and early 2022 — when the US, Russia, and allies coordinated arrests of multiple members.
What Happened
REvil emerged in 2019 as the successor to GandCrab ransomware. By 2020-2021, REvil was the most active ransomware group globally. Major attacks included JBS Foods (May 2021, $11M ransom), Kaseya VSA (July 2021, $70M demanded), and Acer (March 2021, $50M demanded). REvil temporarily went offline in July 2021 following the Kaseya attack and US government pressure, returned in September 2021, then disappeared again. In January 2022, Russian authorities arrested 14 alleged REvil members following cooperation with US law enforcement — a historically unprecedented Russian action against ransomware operators on Russian soil.
Attack Vector Detail
REvil operated as a Ransomware-as-a-Service platform providing ransomware code, infrastructure, and negotiation support to affiliates. Initial access techniques varied by affiliate but commonly included RDP exploitation, vulnerability exploitation in remote access tools and VPNs, and purchasing access from Initial Access Brokers. REvil introduced several innovations: threatening to contact journalists and stock exchanges about attacks on public companies, establishing auction models for stolen data, and operating a professional 'Happy Blog' announcing victims and publishing data for non-payers.
Breach Pattern Timeline
April 2019
REvil/Sodinokibi ransomware emerges as successor to GandCrab (which had retired in mid-2019). Russia-aligned ransomware-as-a-service operation. Code analysis and operational links suggest direct continuity with GandCrab developers.
2019-2020
REvil establishes 'Happy Blog' dark web data leak site for double-extortion. Conducts attacks against Travelex, Quanta Computer (Apple supplier), Acer, and many others.
April-May 2021
REvil deploys ransomware against Quanta Computer (Apple supplier), JBS Foods (May 30, $11M ransom), and Kaseya VSA supply chain attack (July 2 - 1,500 businesses, $70M demand).
July 13, 2021
REvil's dark web infrastructure goes offline following Kaseya attack and intense law enforcement / international pressure. Group disappears from public communications.
September 2021
REvil reappears under same brand, but with diminished trust from affiliates. Several former affiliates report being scammed out of payments by REvil operators (revealed via internal disputes).
October 2021
Multinational law enforcement operation — coordinated by FBI, DOJ, Europol, Romanian authorities, and others — successfully infiltrates REvil's infrastructure. FBI obtains REvil decryption keys including Kaseya universal decryptor.
November 2021
U.S. DOJ unseals indictment of Yaroslav Vasinskyi and Yevgeniy Polyanin for REvil/Kaseya attacks. Romanian authorities arrest two REvil affiliates.
January 14, 2022
Russian FSB announces arrest of 14 alleged REvil members in Russia at U.S. request — extraordinary cooperation that briefly raised hopes for U.S.-Russia ransomware cooperation. Cooperation collapses with Russian invasion of Ukraine in February.
2022-2024
Vasinskyi extradited to U.S. May 2023; pleaded guilty 2024. REvil brand permanently disrupted. Former REvil affiliates migrate to other operations including BlackCat/ALPHV.
2024-2026
REvil case becomes foundational precedent for: (1) Russian law enforcement cooperation against ransomware (and its limits), (2) FBI decryption key recovery as alternative to ransom payment, (3) ransomware operator-affiliate trust dynamics.
Total impact: Estimated 1,000+ victims with $200M+ in ransom payments during 2019-2021 peak operations, JBS Foods $11M and Kaseya $70M demanded ransoms among largest in history at time, foundational precedent for FBI decryption key recovery and Russian law enforcement cooperation.
Executive Lessons
REvil established the ransomware-as-a-service business model that defined the threat landscape through 2021–2022. The group's success demonstrated that ransomware operations could be industrialized, franchised, and scaled beyond what any single threat actor could achieve. For PE sponsors, the RaaS model means that the technical sophistication of the affiliate executing an attack may be far lower than the malware itself — meaning even unsophisticated attackers can deploy enterprise-grade ransomware.
Related Reading
Private Equity Implications
REvil's targeting of managed service providers — most dramatically illustrated by the Kaseya attack — is a direct concern for PE portfolio companies dependent on MSPs for IT management. The attack demonstrated that MSP RMM platforms have extraordinary privileges across customer environments and represent high-value attack vectors. PE sponsors should require MSP security assessments and contractual security standards for all portfolio company MSP relationships.