Formally attributedUnknown

REvil

Russian-speaking ransomware-as-a-service group also known as Sodinokibi, evolved from GandCrab. Responsible for major attacks including Kaseya and JBS. Dismantled by Russian FSB in January 2022. Members arrested and released in 2025.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

0.9

Low signal strength

Mentions2

Sources1

High conf.1

Last seenJun 2026

First observed

—

Last active

—

Origin

Russia

Aliases

Techniques

Campaigns

Russia

TargetsTechnologyManufacturingLegalGovernment

RegionsGlobal

Attribution signals

2 mentions · 1 source

#1high

HUMINT

krebs

May 2026

#2unspecifiedunspecified

Unspecified

xforce

Jun 2026

"REvil has added the ability to encrypt files even in Windows Safe Mode."

Hedge terms observed

unspecified