Sodinokibi
Sodinokibi (also known as REvil) is a ransomware-as-a-service family responsible for multiple high-profile attacks, delivered here via exploited WebLogic T3/IIOP channels.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Is REvil ransomware back, and how is it reaching its victims in 2026?
Timeline for Sodinokibi
Deployed onto compromised WebLogic servers via T3/IIOP exploit chain
Cybersecurity: Threats and Defences: WebLogic flaw revived as ransomware vector- What is REvil ransomware and is it still active?
- REvil (also called Sodinokibi) is a ransomware-as-a-service family that emerged in 2019 and carried out major attacks on JBS Foods and Kaseya before being disrupted by Operation GoldDust in 2022. Sodinokibi payloads were confirmed active in May-June 2026, delivered via an Oracle WebLogic vulnerability, though whether this represents resurgent original operators, copycat groups or affiliates using leaked code is unconfirmed.Source: CISA KEV advisory June 2026, FBI/Europol Operation GoldDust
- What was the Kaseya ransomware attack by REvil?
- In July 2021, REvil exploited a zero-day in the Kaseya VSA remote-management software, pushing ransomware through Kaseya's managed-service-provider customers to an estimated 1,500 downstream businesses simultaneously. It was one of the largest supply-chain ransomware events on record. REvil demanded a $70 million Universal decryptor payment, the highest demand on record at the time.Source: CISA advisory AA21-192A, public reporting
- How was Sodinokibi/REvil disrupted in 2022?
- Operation GoldDust, coordinated by the FBI, Europol and partner agencies in January 2022, resulted in multiple arrests in Russia and Ukraine and the seizure of Cryptocurrency linked to ransomware proceeds. The group's infrastructure collapsed in early 2022. However, the RaaS model means the encryptor and affiliate playbooks can survive the core team's disruption.Source: Europol Operation GoldDust press release, FBI DOJ announcement January 2022
Background
Sodinokibi, universally known by its alias REvil (Ransomware Evil), is a ransomware-as-a-service (RaaS) family that emerged in April 2019 as the successor to GandCrab. Its operators offered the ransomware encryptor and negotiation infrastructure to affiliates on a profit-sharing model, retaining approximately 20-30 per cent of ransom proceeds while affiliates handled access acquisition and victim targeting. Sodinokibi became the highest-profile ransomware family of 2020-2021, responsible for the $11 million JBS Foods attack in May 2021, the Kaseya VSA supply-chain attack in July 2021 (encrypting an estimated 1,500 downstream businesses simultaneously), and multiple attacks on law firms, government contractors and healthcare organisations. Multiple victims paid ransoms exceeding $1 million. In January 2022, Operation GoldDust saw the FBI, Europol and partners arrest several REvil affiliates in Russia and Ukraine and seize Cryptocurrency. The group's infrastructure collapsed in early 2022.
Whether current Sodinokibi deployments represent resurgent original operators, copycat groups using leaked source code, or affiliates who moved to successor RaaS platforms remains publicly unconfirmed. In the cyber-threats-and-defences topic, Sodinokibi payloads were delivered via CVE-2024-21182, an unauthenticated flaw in Oracle WebLogic Server, from mid-May 2026, 17 months after Oracle patched the vulnerability. CISA listed the flaw as actively exploited with a Sodinokibi payload on 1 June 2026.
Sodinokibi's technical signature includes a customisable configuration file, double-extortion (encryption plus data exfiltration), and a negotiation portal operated on Tor. The original group operated a public-facing blog (the "Happy Blog") where it posted victim data as leverage. The RaaS model means that the Sodinokibi brand can persist or re-emerge independently of any specific operator arrests, as the encryptor and affiliate playbooks may survive the disruption of the core team.