Skip to content

S0496 REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.264

Item Value
ID S0496
Associated Names Sodin, Sodinokibi
Version 2.1
Created 04 August 2020
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Sodin 67
Sodinokibi 265731118109212

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.8
enterprise T1134.002 Create Process with Token REvil can launch an instance of itself with administrative rights using runas.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols REvil has used HTTP and HTTPS in communication with C2.311862
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell REvil has used PowerShell to delete volume shadow copies and download files.11164
enterprise T1059.003 Windows Command Shell REvil can use the Windows command line to delete volume shadow copies and disable recovery.3192
enterprise T1059.005 Visual Basic REvil has used obfuscated VBA macros for execution.59
enterprise T1485 Data Destruction REvil has the capability to destroy files and folders.71188692
enterprise T1486 Data Encrypted for Impact REvil can encrypt files on victim systems and demands a ransom to decrypt the files.7311069212
enterprise T1140 Deobfuscate/Decode Files or Information REvil can decode encrypted strings to enable execution of commands and payloads.573862
enterprise T1189 Drive-by Compromise REvil has infected victim machines through compromised websites and exploit kits.28911
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography REvil has encrypted C2 communications with the ECIES algorithm.7
enterprise T1041 Exfiltration Over C2 Channel REvil can exfiltrate host and malware information to C2 servers.2
enterprise T1083 File and Directory Discovery REvil has the ability to identify specific files and directories that are not to be encrypted.7311862
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools REvil can connect to and disable the Symantec server on the victim’s network.3
enterprise T1562.009 Safe Mode Boot REvil can force a reboot in safe mode with networking.13
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion REvil can mark its binary code for deletion after reboot.6
enterprise T1105 Ingress Tool Transfer REvil can download a copy of itself from an attacker controlled IP address to the victim machine.189
enterprise T1490 Inhibit System Recovery REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.73111869212
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location REvil can mimic the names of known executables.9
enterprise T1112 Modify Registry REvil can modify the Registry to save encryption parameters and system information.311862
enterprise T1106 Native API REvil can use Native API for execution and to retrieve active services.26
enterprise T1027 Obfuscated Files or Information REvil has used encrypted strings and configuration files.51186492
enterprise T1027.011 Fileless Storage REvil can save encryption parameters and system information in the Registry.311862
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups REvil can identify the domain membership of a compromised host.782
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment REvil has been distributed via malicious e-mail attachments including MS Word Documents.53289
enterprise T1055 Process Injection REvil can inject itself into running processes on a compromised host.10
enterprise T1012 Query Registry REvil can query the Registry to get random file extensions to append to encrypted files.2
enterprise T1489 Service Stop REvil has the capability to stop services and kill processes.62
enterprise T1082 System Information Discovery REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.731188642
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.7
enterprise T1007 System Service Discovery REvil can enumerate active services.6
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File REvil has been executed via malicious MS Word e-mail attachments.5109
enterprise T1047 Windows Management Instrumentation REvil can use WMI to monitor for and kill specific processes listed in its configuration file.114
ics T0828 Loss of Productivity and Revenue The REvil malware gained access to an organizations network and encrypted sensitive files used by OT equipment. 18
ics T0849 Masquerading REvil searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. 17
ics T0886 Remote Services REvil uses the SMB protocol to encrypt files located on remotely connected file shares. 14
ics T0853 Scripting REvil utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. 17
ics T0881 Service Stop REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. 15
ics T0869 Standard Application Layer Protocol REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. 17 16
ics T0882 Theft of Operational Information REvil sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. 15 16
ics T0863 User Execution REvil initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. 17

Groups That Use This Software

ID Name References
G0046 FIN7 192021


  1. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  2. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  3. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  4. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  5. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. 

  6. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  7. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  8. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  9. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  10. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020. 

  11. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  12. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. 

  13. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. 

  14. Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12  

  15. McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12  

  16. SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12  

  17. Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12  

  18. Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12  

  19. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  20. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.