REvil

In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products.

[4] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.

[7] REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

[9] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it.

[28][29] On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog.

[35] The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.

VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”.

[41] As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware.

He pleaded guilty to cybercrime and money laundering charges, and on 1 May 2024 was sentenced to 13 years and seven months in prison and ordered to pay $16 million in restitution.

In France, it is known as Fluffy,[50] in Germany as Talentfrei,[51] in Australia and English speaking countries as "Emma Hill",[52] and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean).

The techniques employed by these modified payloads vary, but they share a commonality in utilizing standardized technologies supported by web browsers or operating systems, such as URI scheme and BASE64, unlike exploit kits that leverage zero-day vulnerabilities.

[56] It is unclear whether it is related to the ongoing ransomware investigation, but according to a media report in December 2023, The Supreme Court of Korea claimed that it experienced a cyberattack by the Lazarus Group, resulting in the leakage of sensitive data.

[57] Fluffy is presumed to assist in the distribution of various types of ransomware, ranging from Magniber and REvil to LockBit, leveraging successful cases of watering hole attacks they have executed.

The senders of these emails were two individuals under the age of 19, who claimed to have committed such crimes in response to a proposition that said, "If you join in sending ransomware, we'll share the profits."