Revil
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.
Victims
96
First Discovered
2019-08-26
victim
Last Discovered
2022-11-28
victim
Inactive Since
3yrs
more than
Avg Delay
N/A
attack→claim
Infostealer
66.7%
victims with domain
Countries
14
hit
Known Locations (3)
| Favicon | Title | Type | Available | Last Visit | Server Info | FQDN | |
|---|---|---|---|---|---|---|---|
|
404 Not Found | No | 2026-04-28T07:26:13 |
dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion
|
|||
|
404 Not Found | No | 2026-04-28T07:28:46 |
aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion
|
|||
|
Blog | No | 2026-04-28T07:31:13 |
blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion
|
Target
Top 5 Activity Sectors
- Technology 18
- Manufacturing 15
- Healthcare 10
- Business Services 7
- Financial Services 6
Top 5 Countries
-
United States
30
-
Australia
4
-
United Kingdom
3
-
France
2
-
Japan
1
Heatmap
Ransom Notes (3)
Tools Used
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
|
AdFind
Bloodhound
|
|
|
|
Cobalt Strike
|
|
BITSAdmin
|
PrivatLab
RClone
Sendspace
|
TTPs Matrix (9)
| Initial Access | Execution | Defense Evasion | Credential Access | Discovery | Lateral Movement | Exfiltration | Command and Control | Impact |
|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Command and Scripting Interpreter: PowerShell | Obfuscated Files or Information | OS Credential Dumping: LSASS Memory | System Information Discovery | Remote Services: Remote Desktop Protocol | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Application Layer Protocol: Web Protocols | Data Encrypted for Impact |
| Exploit Public-Facing Application | Signed Binary Proxy Execution: Msiexec | Virtualization/Sandbox Evasion | Network Share Discovery | Inhibit System Recovery | ||||
| Supply Chain Compromise | Disable or Modify Tools |
Negotiation Chats (20)
20201014
72 msgs
20201104
63 msgs
20201126
79 msgs
20210320
13 msgs
20210329
43 msgs
20210331
23 msgs
20210401
78 msgs
20210407
15 msgs
20210413
156 msgs
20210603
63 msgs
20210604
10 msgs
20210609
58 msgs
20210613
132 msgs
20210616
31 msgs
20210617
67 msgs
20210622
52 msgs
20210628
39 msgs
20210630
42 msgs
20210708
28 msgs
20210709
1 msgs
YARA Rules (1)
Victims (96)
No description available
