REvil
The Criminal SaaS Startup That Took 20 Percent Of Every Ransom

Everything Is A Service Now. Including The Crime.

Every company you've worked at outsources something. You don't host your own email. You don't write your own auth. You rent your servers, your CI runners, your CRM, your monitoring stack, your customer support chat widget. Building anything from scratch is too slow, too expensive, and somebody on AWS has already done it better. The whole business world runs on "let somebody else handle that part."

Now flip that logic. You are a black hat. You just popped a zero day on a mid sized hospital chain. You have, maybe, 72 hours before their SOC notices the lateral movement. You're alone in a rented flat in Kyiv and you have no idea how to write a stable encryption routine that won't corrupt files, no idea how to host a Tor leak site, no idea how to negotiate with an enterprise insurance adjuster in Texas, and definitely no idea how to launder $5 million of Bitcoin without ending up on a US sanctions list.

Good news. There is a SaaS for that too. You log in, you click a button, you upload your access, and a polite Russian-speaking interface offers you a deal. Their kit, their crypto, their leak site, their negotiators. You bring the victim. They take 20 to 30 percent. You walk away with the rest in clean Monero.

Between 2019 and 2022, the biggest and most professional of those criminal SaaS shops was REvil, also known as Sodinokibi. This is the story of how a ransomware operation built itself into a business, what it broke on the way, and what happened when the FBI, US Cyber Command and Russia's FSB finally decided enough was enough.

What Ransomware-as-a-Service Actually Is

Strip the cyberpunk wrapper off and RaaS looks identical to a normal franchise. There is a core team that builds and maintains the product. There are "affiliates" who are independent operators that bring in the victims. Revenue is split. The terms are written down.

The whole point of the model is specialisation. A guy who is brilliant at exploiting Citrix bugs does not have to also be brilliant at writing AES routines and negotiating with insurance lawyers. He just hands off the box and collects 70 cents on the dollar. REvil's core team built the worst small business in the world, and they built it really, really well.

The Greatest Hits, In Order Of Damage

REvil's affiliate network hit thousands of organisations over its run. A few attacks turned them into a household name in the security industry.

• Travelex, Dec 2019 to Jan 2020. Travelex's network was encrypted on New Year's Eve. The UK foreign-exchange giant was offline for weeks. Reports indicated Travelex paid roughly $2.3M in Bitcoin. The company filed for administration later that year. The attack was the first time REvil became a UK headline.
• Acer, March 2021. REvil hit Taiwanese PC maker Acer and demanded $50M. Largest publicly known ransom demand at the time.
• Quanta / Apple, April 2021. REvil compromised Quanta, a Taiwanese OEM that builds Apple products, stole MacBook design schematics, and tried to extort Apple directly when Quanta refused to pay. Posted blueprints on the leak site. Then suddenly pulled them down. Speculation is still that someone, somewhere, paid quietly.
• JBS Foods, June 2021. The world's largest meat processor. Plants in the US, Australia and Canada were forced to shut down. JBS confirmed it paid REvil $11M in Bitcoin to restore operations.
• Kaseya VSA, July 2021. The headline event. REvil exploited a zero day in Kaseya's VSA remote management software, used by managed service providers worldwide. The compromise cascaded through about 60 MSPs and hit roughly 1,500 downstream organisations in a single weekend, including a Swedish Coop supermarket chain that had to close 800 stores because the cash registers stopped working. REvil demanded $70M for a universal decryptor.

Between those headline hits, REvil and its affiliates encrypted somewhere in the order of thousands of organisations globally. Estimates of total ransoms paid to REvil across its lifetime run into the hundreds of millions of dollars. The leak site, "Happy Blog", at one point listed dozens of new victims every week, each given a countdown timer before stolen data would be published publicly.

Now Imagine It Happens To You

Pause for a second. Forget JBS and Kaseya. Think about your laptop. Your phone. Your Google Drive. Every selfie from your last holiday. Every project file from the last three years of your job. Your tax records. Your CV. The unfinished novel. The folder of voice messages from your mum.

Now imagine you boot up tomorrow morning and instead of your desktop you see a black background, a red countdown clock, and a polite note in good English telling you that every file is encrypted, the key is on their server, and the price is roughly $1,200 in Bitcoin. They've helpfully included a step by step on how to buy it. They've even attached three free file decryptions to prove they really do have the key.

Be honest with yourself. Would you pay?

Most people I've asked say no, in theory. Most people change their answer when I ask whether they have a backup of their wedding photos. They don't. They go quiet. Then they say "well, $1,200 isn't that bad." That is the entire business model. The price is always calibrated to be lower than what it would cost you, emotionally and practically, to walk away.

The point isn't to shame anyone. The point is that until you've actually rehearsed this scenario, your data is not really yours. It is rented from whoever can encrypt it faster than you can restore it.

The Actual Damage They Caused

Some of the wreckage that REvil and its affiliates are credibly tied to:

• Roughly 1,500 organisations hit in the Kaseya weekend alone.
• 800 Coop supermarkets in Sweden closed for over a week because tills were inoperable.
• Multiple hospital networks in the US and Europe knocked offline, with elective surgeries delayed and ER systems forced into manual paper mode.
• Several local government and municipal networks in the US encrypted, including payroll and emergency dispatch in smaller towns.
• An entire global meat supply chain paused for days during the JBS incident, with knock-on effects on wholesale beef prices.
• Sensitive legal and HR data from law firms and consulting firms leaked publicly on the Happy Blog when victims refused to pay.

The recovery costs, downtime, regulatory fines, and breach disclosure expenses run far higher than the headline ransom numbers. Most analysts estimate the true total economic damage from REvil's run is on the order of multiple billions of dollars globally. The cash extracted by the gang itself is the smallest line in that ledger.

2021 to 2022: The Takedown Cycle

Kaseya was the line in the sand. Hitting US critical infrastructure adjacent companies during the run-up to a Biden / Putin summit was politically too loud. Diplomatic pressure followed. Within weeks, in July 2021, REvil's leak site, payment portal and Tor infrastructure suddenly went dark. The operators went silent. Many assumed they had vanished.

They reappeared briefly in September. Then in October 2021, a multi-agency operation involving the FBI and US Cyber Command, working with foreign partners, hijacked REvil's Tor backend and forced it offline a second time. Bloomberg and Reuters later reported that the FBI had quietly held a master decryption key for Kaseya victims for weeks before sharing it, while the takedown was still in progress.

On 14 January 2022, Russia's FSB announced something nobody expected. At the United States' request, the FSB had raided 25 addresses across Russia and detained 14 alleged REvil members. Cash, crypto wallets, luxury cars and computers were seized on video. For about a month it looked like cyber-cooperation between Washington and Moscow was about to become a real thing. Then Russia invaded Ukraine in February 2022 and that line of cooperation died on the spot.

Where The Members Ended Up

A few of the names that became public.

• Yaroslav Vasinskyi, Ukrainian national, alleged Kaseya affiliate. Arrested in Poland in October 2021. Extradited to the US in 2022. Pleaded guilty in 2024. Sentenced in May 2024 to 13 years 7 months in US federal prison and ordered to pay roughly $16 million in restitution.
• Yevgeniy Polyanin, Russian national, charged in absentia by the US Department of Justice in November 2021 over a separate batch of attacks. Approximately $6.1 million in cryptocurrency was seized. Polyanin remains at large in Russia.
• The 14 detained in Russia, January 2022. Russian state TV showed the raids, the wads of cash and the Lamborghinis. After the invasion of Ukraine, prosecutions stalled. Some defendants reportedly walked, some had charges reduced to local fraud, and the cooperative posture with the US effectively ended. As of 2025, none of those 14 have been extradited.

The Vasinskyi sentencing is the only really substantial conviction so far. It set a precedent. A foreign national, arrested in a third country, extradited, and given over thirteen years in a US prison for being part of a ransomware affiliate program. Every RaaS affiliate paying attention now knows the cost can be more than zero.

What This Actually Teaches Us

A few things that I keep coming back to from the REvil run.

• Crime is a business model now, not a craft. Specialisation, support tickets, affiliate splits, KPI dashboards. Defenders need to model attackers like vendors, not like lone wolves.
• Initial access brokers are the new salesforce. A huge share of REvil affiliates never wrote a single line of malware. They just bought access on Russian-speaking forums and clicked deploy. If your network is sitting on a credentials list somebody is renting access to your front door right now.
• Backups are not enough. REvil's "double extortion" model meant they exfiltrated data before encrypting it. Even if you restored cleanly, they still leaked the data. Treat data loss prevention with the same seriousness as recovery.
• Patch your remote-management tools first. Kaseya VSA, ConnectWise, SolarWinds Orion, Citrix. The supply-chain attack vector is overwhelmingly the IT vendor, not the user.
• Cyber-diplomacy is fragile. The FSB raid in January 2022 was real cooperation. It survived for about three weeks. Plan your threat model assuming most state-aligned actors live somewhere your courts cannot reach.

REvil is technically dead. The brand isn't. Its code lineage, its affiliate playbook and at least one of its core operators have already shown up under other names. The same business model runs today under labels like LockBit, BlackCat, Cl0p, Akira and a dozen smaller shops. The kit is cheaper, the affiliates are more numerous, and the payouts are bigger.

The era of ransomware-as-a-service is not ending. It is just consolidating.

References & Further Reading

Sources I cross checked while writing this. Worth reading if you want the long form versions.

• Wikipedia, REvil rolling timeline of attacks, takedowns and indictments.
• US Department of Justice (Nov 2021), Ukrainian arrested and charged with ransomware attack on Kaseya the original Vasinskyi indictment.
• US Department of Justice (May 2024), Sodinokibi / REvil affiliate sentenced for multi-million dollar cyberattacks the 13 year 7 month sentence and $16M restitution order.
• Reuters (Jan 2022), Russia says it has shut down REvil cybercrime gang the FSB raid coverage.
• BBC News (Jun 2021), JBS pays $11m to resolve ransomware attack JBS Foods confirms the payment.
• CISA Advisory AA21-187A, Kaseya VSA supply-chain ransomware attack the official US government technical advisory on the Kaseya incident.
• Bloomberg / Washington Post (Sep 2021), FBI held REvil decryption key for weeks before sharing on the operational dilemma behind the Kaseya response.
• BBC News (Jan 2020), Travelex paid hackers $2.3m in Bitcoin the first major REvil headline.