Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Malware

S0496

REvil

Type

Ransomware

Associated threat actors

GOLD SOUTHFIELD, Pinchy Spider, Ransomware-as-a-Service affiliates

Key Capabilities

Encrypts files using Salsa20. Steals data for double extortion. Terminates security processes. Deletes volume shadow copies.

OS Targeted

Windows

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for REvil

What Is REvil?

REvil (S0496), also known as Sodinokibi, is a notorious ransomware strain that emerged in 2019. It gained global attention for its highly effective encryption capabilities and its role in massive campaigns, including the high-profile Kaseya software supply chain attack.

The malware operated under a Ransomware-as-a-Service (RaaS) model. Cybercriminal affiliates typically gained access to victim networks through exploit kits, compromised remote desktop protocol (RDP) credentials, or phishing campaigns. Once inside, REvil moved quickly. The software actively terminated active applications and security tools to ensure a smooth encryption process.

Like many advanced strains, REvil deleted volume shadow copies to prevent easy data restoration. Attackers relied heavily on double extortion, stealing valuable company data before encrypting local files and threatening to publish the information on a public leak site.

While the REvil software was highly destructive, Russian authorities (the FSB) dismantled the core operation in early 2022. Although the primary cartel is defunct, the malware’s source code and Indicators of Compromise (IoCs) continue to surface in attacks.

How to Defend Against REvil?

Defending against REvil requires robust access controls, offline data redundancy, and continuous network monitoring.

  • Secure remote access: Attackers often use compromised RDP credentials to enter the network. Enforce Multi-Factor Authentication (MFA) and use Lumu Discover to control your attack surface.
  • Maintain offline backups: REvil actively destroys local backups and shadow copies. Store critical data offline to ensure quick recovery without paying a ransom.
  • Deploy endpoint detection: Monitor devices for suspicious administrative activity. Flag any process that attempts to terminate security software or delete shadow copies.
  • Use network detection (NDR): Use tools like Lumu Defender to identify unauthorized data exfiltration. Detect the network beacons that affiliates use to establish access before encryption begins.
  • Integrate threat intelligence: Use platforms like Lumu Maltiverse to stay updated on the latest REvil indicators and block access to malicious domains.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.