APT Intelligence Directory
Institute for Critical Infrastructure Cybersecurity
ICIC
RU

REvil

High ConfidenceHigh Threat

Sodinokibi • PINCHY SPIDER • GOLD SOUTHFIELD

REvil, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) operation run by the financially motivated threat group GOLD SOUTHFIELD (also known as PINCHY SPIDER). Active since at least 2018, REvil is known for its high-profile attacks and large ransom demands. The group gained notoriety for not only encrypting victim data but also exfiltrating it and threatening to publish it online if the ransom is not paid. This double-extortion tactic has become a hallmark of their operations. REvil often targets organizations through phishing campaigns, exploitation of public-facing applications, and by compromising managed service providers (MSPs) to distribute their ransomware to a wider range of victims. The group has shown a high level of sophistication, using advanced techniques to gain access, elevate privileges, and move laterally within networks. They are known to be particularly active during holidays and weekends, when organizations are more vulnerable due to reduced staffing.

Origin: Russia
Sponsor: Criminal Organization
Active: 2018 - Present
Victims: 100+ organizations
Advanced
Evolved
Financial Gain
Risk Assessment
79
Composite Risk Score
High Risk
ARCS Compliance80
Escalation Risk78
Grievance Index75
Infrastructure Impact82
History & Evolution

REvil, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) operation run by the financially motivated threat group GOLD SOUTHFIELD (also known as PINCHY SPIDER). Active since at least 2018, REvil is known for its high-profile attacks and large ransom demands. The group gained notoriety for not only encrypting victim data but also exfiltrating it and threatening to publish it online if the ransom is not paid. This double-extortion tactic has become a hallmark of their operations. REvil often targets organizations through phishing campaigns, exploitation of public-facing applications, and by compromising managed service providers (MSPs) to distribute their ransomware to a wider range of victims. The group has shown a high level of sophistication, using advanced techniques to gain access, elevate privileges, and move laterally within networks. They are known to be particularly active during holidays and weekends, when organizations are more vulnerable due to reduced staffing.

Targeting

Target Sectors

HealthcareITFood and AgricultureEnergy

Target Regions

United StatesEuropeAsia
Attribution & Affiliations

Attributed to Criminal Organization (Russia). Attribution confidence: High.

Intelligence Assessment
High
Threat Level
Opportunistic
Targeting
Highly
Adaptability
High
Persistence
Periodic
Op Tempo
Evolved
Status

Future Outlook

REvil is expected to continue operations targeting Healthcare.

Timeline of Key Events
2018
Major

First observed activity

2024
Major

Last known activity