REvil’s Ransomware Success Formula: Constant Innovation

Cybercrime as-a-service
Fraud Management & Cybercrime

Affiliate-Driven Approach and Regular Malware Refinements Are Key, Experts Say

REvil's Ransomware Success Formula: Constant Innovation
Sodinokibi/REvil ransom note (Source: Malwarebytes)

Just as cloud services have taken the business world by storm, the same can be said for ransomware, including one of today’s most notorious strains: REvil. Also known as Sodinokibi and Sodin, REvil is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.

See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy

Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.

Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, DoppelPaymer (aka DopplePaymer), Maze offshoot Egregor, and Ryuk.

A key to REvil’s success has been its use of skilled affiliates and their ability to successfully access and traverse increasingly large victims’ networks, infect endpoints – now including both Windows and Linux systems – and demand larger ransoms. REvil’s operators also maintain a data leak portal and can assist affiliates with ransomware negotiations. All of this has one goal: to get victims to pay.