REvil (Sodinokibi) Ransomware
REvil, also widely known as Sodinokibi, is one of the most notorious ransomware families of recent years. Operated as a ransomware-as-a-service (RaaS) by the financially motivated group tracked as GOLD SOUTHFIELD, it was first identified in April 2019 and has been used in numerous high-profile, high-ransom attacks against businesses worldwide.
REvil encrypts the files on an infected machine, appends a random extension, and drops a ransom note in every affected folder demanding payment — usually in cryptocurrency — in exchange for a decryption key. Many REvil operations also steal data before encrypting it and threaten to publish it, a "double extortion" tactic.
Table of Contents
What Is REvil / Sodinokibi?
REvil is a sophisticated, targeted ransomware rather than an opportunistic one. Once it gains access, it attempts to run with elevated privileges so it can reach every file and resource on the system, then systematically encrypts local files and any accessible network shares before demanding a ransom.
How REvil Encrypts Files
REvil uses a hybrid encryption scheme that combines symmetric and asymmetric cryptography. It typically encrypts file contents with a fast stream cipher (Salsa20) and protects the encryption keys using elliptic-curve (Diffie-Hellman) key exchange, storing a public key while keeping the matching private key with the attackers. This design makes free decryption without the attackers' key extremely difficult.
How REvil Spreads
REvil has been delivered through a range of vectors, including exploitation of vulnerable internet-facing servers and software (such as Oracle WebLogic), compromised remote-access services, phishing, and via other malware loaders. In several campaigns it was pushed through compromised managed-service-provider tooling to hit many organizations at once.
What REvil Does
- File encryption: renders documents, images, and databases unusable and drops a ransom note.
- Privilege escalation: attempts to gain administrative rights to maximize damage.
- Network encryption: seeks out and encrypts mapped drives and network shares.
- Data theft: many attacks exfiltrate sensitive data for double-extortion leverage.
Why REvil Is Dangerous
A REvil attack can halt an entire organization, and paying the ransom is never guaranteed to restore data — nor is it recommended. The safest recovery path is restoring from clean, offline backups. The Threat Scorecard on this page reflects how SpyHunter's research systems classify this threat.
How to Respond to and Remove REvil
Ransomware requires a careful response:
- Isolate the infected machine from the network immediately to stop the encryption from spreading.
- Do not pay the ransom. Payment funds further crime and offers no guarantee of recovery.
- Preserve a copy of the ransom note and a sample encrypted file, which can help identify the variant and any available decryptor.
- Remove the ransomware payload by scanning the system with a professional anti-malware tool such as SpyHunter to eliminate the malicious executable and related components.
- Restore your files from clean, offline backups once the system is confirmed malware-free.
Note that removing the ransomware stops further encryption but does not, by itself, decrypt files already locked — that is why maintained offline backups are the single most important defense.
Conclusion
REvil / Sodinokibi is a high-impact ransomware threat capable of crippling businesses and demanding large payouts. Isolate affected systems, avoid paying, remove the malware with a trusted security tool, and recover from backups. Strong backups, prompt patching, and multi-factor authentication remain the best protection against attacks like this.