REvil, also known as Sodinokibi or Sodin, was for two years the most aggressive, most public, and most lucrative ransomware operation in the world. It pioneered double extortion alongside Maze, popularised supply-chain attacks, ran auctions for stolen data, and threatened to leak Donald Trump’s personal documents. It is also the operation whose abrupt arrests by Russia’s FSB in early 2022 briefly suggested a fundamental shift in the geopolitics of ransomware.
Origins and lineage
REvil emerged in April 2019, picking up where the GandCrab operation had left off. GandCrab had run a successful RaaS from January 2018 to mid-2019, claiming to have extracted over $2 billion before announcing a public "retirement." Reverse engineering of REvil’s locker found multiple code overlaps with GandCrab. Most researchers concluded that GandCrab had not retired so much as rebranded, with key personnel and infrastructure rolling into the new operation.
The early REvil malware was a polished, modular Windows locker with a clean affiliate panel and a comparatively professional public profile. The operation rapidly recruited high-skill affiliates and within a year was rivalling Maze and Ryuk for the top of the leaderboard.
The "Happy Blog" and the auction model
REvil’s leak site, "Happy Blog," was distinctive both for its presentation and for innovations like a built-in auction model, letting attackers monetise stolen data even when victims refused to pay, by selling the data to other criminals or competitors. It was largely a publicity stunt that produced few recorded sales, but it generated extensive media coverage and signalled an operator that wanted to be talked about.
The public face of REvil was a forum operator using the handle Unknown (and later UNKN), who gave several interviews to Russian-language outlets. He bragged about revenue, openly mocked law enforcement, and was unusually candid about targeting choices.
Notable attacks
REvil’s victim list reads like a tour of strategically chosen high-leverage targets:
- Travelex (December 2019), which paid an estimated $2.3 million.
- Brown-Forman (Jack Daniel’s parent), with terabytes of internal documents stolen.
- Grubman Shire Meiselas & Sacks (May 2020), the entertainment law firm, with stolen data from Madonna, Lady Gaga, Bruce Springsteen, and many others. The operators publicly threatened to release Trump-related documents and demanded $42 million.
- Acer (March 2021), a $50 million ransom demand, a record at the time.
- Quanta Computer (April 2021), with stolen Apple product schematics that the operators tried to use to extort Apple directly.
- JBS Foods (May 2021), the world’s largest meat processor, which paid $11 million.
- Kaseya VSA (July 2021), a supply-chain compromise that exploited a zero-day in the Kaseya remote management platform to push ransomware to roughly 1,500 downstream victims of managed service providers in a single weekend.
Kaseya was the operation’s high-water mark and, in retrospect, its peak. The scale and brazenness of the supply-chain attack triggered an extraordinary US response, including a direct warning from President Biden to Vladimir Putin.
The first disappearance
On 13 July 2021, days after the Kaseya attack, REvil’s entire infrastructure, leak site, payment portals, support chat, went dark. The disappearance was unannounced. Some affiliates were left with active negotiations and no platform to complete payment on. Several explanations circulated: a US government takedown, a voluntary retreat under heat, or pressure from Russia.
In September 2021 the operation reappeared. Researchers at Bitdefender released a universal decryptor for victims hit before the disappearance, made possible by intelligence partnerships with law enforcement. By October the FBI confirmed it had been inside REvil’s infrastructure and had supported a multinational operation that took some of it offline. By the end of October, REvil had gone dark again, this time more permanently.
The FSB arrests
In January 2022, in an unusual public statement, Russia’s Federal Security Service (FSB) announced it had arrested 14 members of REvil at the request of US authorities, seizing rubles, dollars, euros, and luxury cars. It was the first time Russia had publicly cooperated against a ransomware operation. The timing, weeks before Russia’s full-scale invasion of Ukraine, suggested it was a goodwill gesture made for diplomatic reasons, and the cooperation evaporated almost immediately afterward. Several of the arrested individuals were later released or never tried in any meaningful way; one, Yaroslav Vasinskyi, was extradited to the US and pleaded guilty in 2024.
The legacy
A REvil-branded leak site briefly reappeared in mid-2022, almost certainly a low-grade rebrand by remnant affiliates. It produced little credible victim activity. The original operation was effectively done.
But REvil’s influence is everywhere. The double-extortion model, the auction mechanism, the supply-chain compromise as a force-multiplier, all became standard features of subsequent operations. Many of the affiliates rolled into BlackCat/ALPHV, where REvil veterans helped seed another wave of high-profile attacks. The Russian-state stance on ransomware operators, selectively useful, deniable, ultimately tolerated, is the same posture that keeps current operations safe today.
REvil is the case study for how a single ransomware brand can shape the ecosystem far beyond its operational lifetime. The brand is gone. The playbook it wrote is still in active use.