The Reaper: REvil

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 15

Criminal (Russia, CIS-based)

G0115

★★★★★

risk 5/5

✦ The Reaper ✦

REvil

Sodinokibi · GOLD SOUTHFIELD

MSPsLaw firmsFood and agricultureTechnology

Active since ~2019 · Ransomware extortion, Double extortion, Affiliate revenue

It sweeps through managed service providers like a scythe through wheat - one compromise, a thousand victims. The Reaper is not interested in your data. It is interested in what your data is worth to you when it is gone.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1486

Data Encrypted for Impact

Impact

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Persistence

T1048

Exfiltration Over Alternative Protocol

Exfiltration

T1548.002

Bypass User Account Control

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Privilege Escalation

Notable Operations

◆Kaseya VSA supply chain attack (1,500+ companies, 2021)
◆JBS Foods $11M ransom (2021)
◆$70M ransom demand (largest at the time)
◆Law firm Grubman Shire data leak threat

Defenses

▸
MSP supply chain risk management and vendor vetting
NIST SP 800-161 ↗
▸
Immutable offline backups with 3-2-1 architecture
CIS Control 11 ↗
▸
RDP hardening and external exposure elimination
CIS Control 12 ↗
▸
Ransomware-specific incident response playbooks
NIST CSF: RC.RP ↗

Reversed: Their Weakness

After the Colonial Pipeline political fallout, the US government engaged with Russia directly. REvil's servers were taken down from within, allegedly by allied cyber operations - suggesting nation-state enablers can become nation-state targets.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Merchant Next →The Locked Tower

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.