How REvil Works: A Look Inside the World’s Most Famous Ransomware-as-a-Service

Ransomware as a Service REvilWith well-known companies impacted by REvil in every sector, including tech, it’s time to get a better understanding of who they are and what makes their ransomware so successful.

According to ransomware response company Coveware, REvil/Sodinkibi have the largest market share of ransomware variants earlier this year. This isn’t surprising, considering how well they’ve evolved their Ransomware-as-a-Service model.

Remember, REvil likely isn’t the threat actors attacking a given organization; they’re just the manufacturers of the tools used with their “affiliates” doing the threat acting.

How do REvil Threat Actors Gain Access?

Security researchers at Palo Alto Networks found a variety of initial attack vectors, including:

  • Phishing – malicious attachments resulted in the installation of QakBot or Ursnif malware
  • RDP – Using compromised credentials via an Internet-facing system (it’s unsure whether these are a result of a brute force attack or previously compromised)
  • Vulnerabilities – Palo Alto offer a few examples they’ve seen in the wild including a vulnerability in SonicWall and one in Exchange.

Coveware found the very same methods, with phishing, RDP access, and Vulnerabilities representing the initial attack vector in well over 95% of the cases they saw.

Next Up, Persistence

According to Palo Alto, a combination of Cobalt Strike BEACON, use of remote connection software ScreenConnect and AnyDesk, and the creation of local and domain accounts provide REvil threat actors with persistent access to the victim network. Tools like Mimikatz and Procdump are used to find elevated credentials used for the infection phase.


Everything from legitimate tools like NETSTAT and IPCONFIG, to tools like BloodHound and AdFind to map out systems.


Many cases of infection are accomplished using the legitimate tool PsExec and a text file-based list of internal IP addresses. It’s also been noted that encryption usually happens within 7 days of initial compromise but, in some cases, took as long as 23 days.

What To Do About REvil?

These attacks are now textbook runs being carried out by individuals with no real expertise in threat acting; the plethora of tools and playbooks available enables REvil’s Ransomware-as-a-Service model to not just exist, but thrive.

Your response to REvil (and every other ransomware variant) is to look for ways to minimize the initial attack threat surface:

  • Phishing – Implement email scanning, DNS protection, and Security Awareness Training
  • RDP – Shut ‘em down. Use a secure remote access solution!
  • Vulnerabilities – Patch, perform vulnerability scans, and monitor systems for unusual access and activity.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews