REvil is a ransomware-as-a-service (RaaS) operation that has extorted large amounts of money from organizations worldwide over the past year. Its name stands for Ransomware Evil and was inspired by the Resident Evil movie series. According to recent reports from security firms, it is the most widespread ransomware threat and the group behind it doubles down on its extortion efforts by also stealing business data and threatening to release it.
REvil, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in a recent interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.
Developers behind RaaS operations rely on other cybercriminals known as affiliates to distribute the ransomware for them. In fact, ransomware developers earn between 20% to 30% of the illegal proceeds with the rest going to the affiliates who do the legwork of gaining access to corporate networks and deploying the malware.
The more successful a RaaS operation is, the more likely it is to attract skilled affiliates and if one operation closes, affiliates quickly shift to a different one. This happened with GandCrab in the past and more recently with the Maze group, whose members announced their retirement earlier this month and whose affiliates promptly moved to a new ransomware family called Egregor, also known as Sekhmet.
