In October 2021, REvil — one of the most aggressive and profitable ransomware operations on the planet — went dark. Not because its operators decided to retire. Law enforcement agencies from multiple countries hijacked the group's infrastructure, seized their Tor payment portal, and effectively pulled the plug on an operation responsible for hundreds of millions of dollars in ransom demands.
It was a significant moment in the fight against ransomware. But to understand why it mattered, you need to understand what REvil was and how it operated.
The Rise of REvil
REvil, also known as Sodinokibi, emerged in April 2019 as a successor to the GandCrab ransomware operation. The group operated a ransomware-as-a-service (RaaS) model, meaning the core developers built and maintained the ransomware payload while affiliates — essentially contractors — handled the actual intrusions and deployment.
The economics were straightforward. Affiliates kept 60-70% of ransom payments, with the REvil operators taking the rest. This model attracted skilled operators and allowed REvil to scale rapidly without the core team needing to conduct intrusions themselves.
REvil's technical capabilities were formidable:
- Elliptic-curve cryptography for file encryption, making decryption without the key mathematically infeasible
- Safe mode exploitation to encrypt files while security software was disabled during Windows Safe Mode boot
- Credential harvesting to move laterally across victim networks before deploying ransomware
- Data exfiltration capabilities supporting double extortion — pay the ransom or your data gets published
The group maintained a leak site called "Happy Blog" on the Tor network where stolen data from non-paying victims was published. This added tremendous pressure on victims, particularly those in regulated industries where data exposure carried legal consequences.
Major Attacks That Put REvil on the Map
REvil's affiliate network carried out some of the most high-profile ransomware attacks in history:
Travelex (January 2020)
REvil hit Travelex, the foreign exchange company, on New Year's Eve 2019. The attack crippled the company's operations for weeks and reportedly resulted in a $2.3 million ransom payment. Travelex never fully recovered and eventually went into administration.
Acer (March 2021)
The group demanded $50 million from Acer, one of the largest ransom demands at the time. The attackers exploited a Microsoft Exchange vulnerability to gain initial access, demonstrating how quickly REvil affiliates weaponized newly disclosed vulnerabilities.
JBS Foods (June 2021)
REvil shut down JBS, the world's largest meat processing company, disrupting food supply chains across the United States and Australia. JBS paid an $11 million ransom to restore operations. This attack brought ransomware squarely into the national security conversation.
Kaseya VSA (July 2021)
This was the big one. REvil exploited zero-day vulnerabilities in Kaseya's VSA remote management software, a tool used by managed service providers (MSPs) to manage their clients' IT infrastructure. The attack cascaded through MSPs to their downstream customers, hitting an estimated 1,500 organizations simultaneously.
The Kaseya attack was a supply chain attack in the truest sense — compromising one vendor to reach thousands of victims. REvil demanded $70 million for a universal decryptor.
The Takedown
The Kaseya attack proved to be a turning point. The scale and brazenness of the operation — hitting thousands of businesses through a single vendor — triggered an unprecedented response from law enforcement.
First Disappearance (July 2021)
Shortly after the Kaseya attack, REvil's infrastructure went offline in mid-July 2021. Their Tor sites, payment portals, and negotiation chat systems all went dark simultaneously. The initial assumption was that the operators had voluntarily shut down, possibly under pressure from Russian authorities following the Biden-Putin summit where ransomware was a key topic.
The Return and the Trap (September 2021)
In September 2021, REvil's infrastructure came back online. But something had changed. Unbeknownst to the operators, law enforcement agencies — including the FBI, along with partners from multiple countries — had obtained access to REvil's infrastructure during the downtime.
When a REvil operator known as "0_neday" restored the group's systems from backups, he unknowingly reactivated infrastructure that had been compromised by law enforcement. The agencies had effectively backdoored the backup servers.
The Final Blow (October 2021)
In October 2021, "0_neday" posted on a Russian-language cybercrime forum that an unknown party had accessed REvil's infrastructure using the operators' own keys. He acknowledged the group had been compromised and that it was over.
The operation involved the FBI working with Cyber Command and intelligence agencies from Romania, among other countries. The coordination was significant — rather than simply seizing infrastructure, they turned the group's own operational security against them.
Arrests and Aftermath
The takedown was accompanied by law enforcement actions against individual operators:
- November 2021: Europol announced the arrest of seven individuals linked to REvil and GandCrab operations across multiple countries
- January 2022: Russia's FSB arrested 14 alleged REvil members in coordinated raids, seizing over $6 million in cryptocurrency and fiat currency, luxury cars, and computer equipment
- March 2022: Yaroslav Vasinskyi, a Ukrainian national accused of deploying REvil ransomware in the Kaseya attack, was extradited to the United States
The FSB arrests were particularly notable. Russia had long been criticized for providing a safe harbor for ransomware operators, and the arrests were seen as a diplomatic gesture. Whether they represented a genuine policy shift or a temporary political calculation remains debated.
Technical Lessons
REvil's operation and takedown revealed several important realities about the ransomware ecosystem:
Supply chain attacks multiply impact exponentially. The Kaseya attack showed that compromising a single vendor in the MSP supply chain could reach thousands of end victims. This model — targeting the supply chain rather than individual organizations — became a template for subsequent attacks.
Ransomware infrastructure is vulnerable. REvil's operators made the mistake of restoring from compromised backups, but the broader lesson is that Tor hidden services and cryptocurrency payment systems, while providing anonymity, also create centralized infrastructure that can be targeted.
International cooperation works, but slowly. The REvil takedown required coordination across multiple countries and agencies. It took months of planning and execution. This pace doesn't match the speed at which ransomware groups operate.
Takedowns are not permanent solutions. Many former REvil affiliates simply moved to other ransomware operations — BlackCat/ALPHV, LockBit, and others absorbed experienced operators. The RaaS model means that disrupting one brand doesn't eliminate the skilled labor pool that powered it.
The Bigger Picture
REvil's shutdown was a landmark, but it didn't solve the ransomware problem. The group's affiliates carried their skills and access to other operations. The RaaS model proved resilient precisely because it decentralizes operations — take down the brand, and the affiliates rebuild under a new flag.
What the REvil takedown did accomplish was demonstrate that ransomware operators are not untouchable. The combination of technical infrastructure compromise and traditional law enforcement action created a template that has been applied to subsequent operations, including the LockBit disruption in 2024.
The challenge remains one of scale. There are dozens of active ransomware operations at any given time, and law enforcement resources are finite. Every major takedown is followed by the emergence of new groups or the rebranding of old ones.
How Safeguard.sh Helps
The REvil campaign — particularly the Kaseya attack — demonstrated that supply chain security is not optional. When a single compromised vendor can cascade ransomware to 1,500 organizations, every link in your software supply chain becomes a potential entry point.
Safeguard.sh provides continuous visibility into your software supply chain through automated SBOM generation and dependency analysis. By maintaining a real-time inventory of every component in your software stack, you can identify which vendors and dependencies represent concentration risks — the same kind of risk that made Kaseya's VSA such a devastating attack vector.
The platform's policy engine lets you enforce security requirements across your supply chain, flagging components with known vulnerabilities before they're deployed. When the next REvil targets a vendor in your chain, you'll know exactly which systems are affected and how to respond, turning days of triage into minutes of targeted action.