S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
Analyst context for executives and security teams
REvil is a Windows ransomware family described by ATT&CK as a configurable ransomware-as-a-service operation since at least April 2019, linked to GOLD SOUTHFIELD and used in activity affecting manufacturing, transportation, and electric-sector organizations. Its business significance is not only encryption: the ATT&CK relationships show behaviors tied to execution, discovery, stealth, exfiltration, remote services, service stopping, and ICS-relevant loss of productivity and revenue. Leaders should treat REvil coverage as a practical test of ransomware resilience across endpoints, identity, remote access, backups, incident response, and operational continuity.
Executive priority
Prioritize REvil as a resilience and readiness scenario rather than a single malware signature. The supplied ATT&CK context connects it to financially motivated groups, RaaS operations, Windows environments, and sectors where IT disruption can affect operational productivity. Executives should ask whether the organization can prove: critical Windows systems are monitored, privileged/domain group discovery is visible, remote service use is controlled, service-stopping activity is investigated quickly, exfiltration over common channels is detectable, and recovery plans cover manufacturing, transportation, electric, or other operational dependencies where relevant.
Technical view
SOC and IR teams should validate coverage against the related ATT&CK behaviors: PowerShell, Windows Command Shell, Visual Basic, WMI execution, process injection, registry queries, system service discovery, domain group discovery, masquerading, encoded or fileless storage, exfiltration over C2 channels, remote services, and service stop activity. Because ATT&CK provides no official detection text for this software object, detection engineering should be behavior-led and mapped to the associated techniques rather than relying only on malware names such as REvil, Sodin, or Sodinokibi.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell script block, module, and operational logs where available
- WMI activity logs and remote execution evidence
- Windows Registry access and modification telemetry
- Service control events, service stop events, and system service inventory changes
Detection direction
- Build detections around chains of behavior: script or shell execution followed by discovery, registry queries, service enumeration, remote service use, service stopping, suspicious file activity, and outbound transfer patterns.
- Tune administrative-tool detections carefully because PowerShell, WMI, command shell, service control, and remote services have legitimate uses; prioritize unusual parent-child processes, new hosts, unusual accounts, off-hours execution, or activity against high-value systems.
- Validate visibility for stealth-related behaviors in the relationships, including process injection, encoded files, fileless storage, and masquerading with legitimate resource names or locations.
- Correlate endpoint and identity telemetry for domain group discovery, especially where enumeration precedes lateral movement or privilege-focused activity.
- For environments with operational technology dependencies, test whether SOC workflows can connect Windows ransomware behavior to ICS impacts such as service disruption, loss of productivity, or operational information theft.
Mitigation priorities
- Start with resilience controls: tested offline or protected backups, recovery runbooks, and business-continuity plans for Windows-dependent operations.
- Reduce execution risk by hardening and monitoring script interpreters and administrative execution paths such as PowerShell, command shell, Visual Basic, and WMI.
- Limit blast radius through least privilege, privileged group governance, domain group monitoring, and segmentation between user, server, and operational environments where applicable.
- Control and monitor remote services used for administration or lateral movement, with strong authentication and logging.
- Protect critical services from unauthorized stopping or tampering and ensure alerts for service disruption are routed to responders with business context.
Analyst notes and limits
This take is based on ATT&CK S0496 REvil, its official description, external references, and supplied relationships. The object is a malware/software entry for Windows, with no official ATT&CK detection guidance. Relationships link REvil to GOLD SOUTHFIELD and FIN7 and to both enterprise and ICS techniques, including impact-relevant ICS behaviors. Local validation should determine which related techniques are relevant to the organization’s architecture and which telemetry sources are actually retained and searchable.
The supplied ATT&CK fields do not provide current activity claims, detailed procedures, indicators of compromise, guaranteed detections, or environment-specific impact. Tactics for the malware object itself are not specified, and several relationship descriptions are truncated. Any prioritization should be confirmed against local asset criticality, identity architecture, remote access exposure, backup maturity, and sector-specific operational dependencies.
REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | REvil can encrypt files on victim systems and demands a ransom to decrypt the files.CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationTalos Sodinokibi April 2019CitationMcAfee REvil October 2019CitationIntel 471 REvil March 2020CitationPicus Sodinokibi January 2020CitationSecureworks REvil September 2019CitationTetra Defense Sodinokibi March 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | REvil can use the Windows command line to delete volume shadow copies and disable recovery.CitationCylance Sodinokibi July 2019CitationTalos Sodinokibi April 2019CitationPicus Sodinokibi January 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | REvil has used PowerShell to delete volume shadow copies and download files.CitationSecureworks GandCrab and REvil September 2019CitationTalos Sodinokibi April 2019CitationIntel 471 REvil March 2020CitationGroup IB Ransomware May 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | REvil has encrypted C2 communications with the ECIES algorithm.CitationKaspersky Sodin July 2019 |
| Enterprise | T1055 | Process Injection | REvil can inject itself into running processes on a compromised host.CitationMcAfee REvil October 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | REvil can mimic the names of known executables.CitationPicus Sodinokibi January 2020 |
| Enterprise | T1112 | Modify Registry | REvil can modify the Registry to save encryption parameters and system information.CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1485 | Data Destruction | REvil has the capability to destroy files and folders.CitationKaspersky Sodin July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationPicus Sodinokibi January 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1012 | Query Registry | REvil can query the Registry to get random file extensions to append to encrypted files.CitationSecureworks REvil September 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | REvil has used obfuscated VBA macros for execution.CitationG Data Sodinokibi June 2019CitationPicus Sodinokibi January 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | REvil can exfiltrate host and malware information to C2 servers.CitationSecureworks REvil September 2019 |
| Enterprise | T1489 | Service Stop | REvil has the capability to stop services and kill processes.CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1082 | System Information Discovery | REvil can identify the username, machine name, system language, keyboard layout, and OS version on a compromised host.CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationGroup IB Ransomware May 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1106 | Native API | REvil can use Native API for execution and to retrieve active services.CitationSecureworks REvil September 2019CitationIntel 471 REvil March 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | REvil has been executed via malicious MS Word e-mail attachments.CitationG Data Sodinokibi June 2019CitationMcAfee REvil October 2019CitationPicus Sodinokibi January 2020 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | REvil can launch an instance of itself with administrative rights using runas.CitationSecureworks REvil September 2019 |
| Enterprise | T1685 | Disable or Modify Tools | REvil can connect to and disable the Symantec server on the victim's network.CitationCylance Sodinokibi July 2019 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.CitationSecureWorks September 2019 |
| Enterprise | T1083 | File and Directory Discovery | REvil has the ability to identify specific files and directories that are not to be encrypted.CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | REvil has used encrypted strings and configuration files.CitationG Data Sodinokibi June 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationGroup IB Ransomware May 2020CitationPicus Sodinokibi January 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1189 | Drive-by Compromise | REvil has infected victim machines through compromised websites and exploit kits.CitationSecureworks REvil September 2019CitationMcAfee Sodinokibi October 2019CitationPicus Sodinokibi January 2020CitationSecureworks GandCrab and REvil September 2019 |
| Enterprise | T1007 | System Service Discovery | REvil can enumerate active services.CitationIntel 471 REvil March 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | REvil can use WMI to monitor for and kill specific processes listed in its configuration file.CitationSecureworks GandCrab and REvil September 2019CitationGroup IB Ransomware May 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | REvil can decode encrypted strings to enable execution of commands and payloads.CitationG Data Sodinokibi June 2019CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | REvil has been distributed via malicious e-mail attachments including MS Word Documents.CitationG Data Sodinokibi June 2019CitationCylance Sodinokibi July 2019CitationSecureworks REvil September 2019CitationMcAfee Sodinokibi October 2019CitationPicus Sodinokibi January 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | REvil can download a copy of itself from an attacker controlled IP address to the victim machine.CitationTalos Sodinokibi April 2019CitationMcAfee Sodinokibi October 2019CitationPicus Sodinokibi January 2020 |
| Enterprise | T1688 | Safe Mode Boot | REvil can force a reboot in safe mode with networking.CitationBleepingComputer REvil 2021 |
| Enterprise | T1680 | Local Storage Discovery | REvil can identify system drive information on a compromised host.CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationGroup IB Ransomware May 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | REvil can check the system language using |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.CitationMcAfee Sodinokibi October 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | REvil has used HTTP and HTTPS in communication with C2.CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | REvil can identify the domain membership of a compromised host.CitationKaspersky Sodin July 2019CitationMcAfee Sodinokibi October 2019CitationSecureworks REvil September 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | REvil can mark its binary code for deletion after reboot.CitationIntel 471 REvil March 2020 |
| Enterprise | T1490 | Inhibit System Recovery | REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.CitationKaspersky Sodin July 2019CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationTalos Sodinokibi April 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationPicus Sodinokibi January 2020CitationSecureworks REvil September 2019CitationTetra Defense Sodinokibi March 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | REvil can save encryption parameters and system information in the Registry.CitationCylance Sodinokibi July 2019CitationSecureworks GandCrab and REvil September 2019CitationMcAfee Sodinokibi October 2019CitationIntel 471 REvil March 2020CitationSecureworks REvil September 2019 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
G0115: GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 9956d73492ac… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Secureworks REvil September 2019
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
Open source URL -
[2]
Intel 471 REvil March 2020
Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
Open source URL -
[3]
Group IB Ransomware May 2020
Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
Open source URL -
[4]
Cylance Sodinokibi July 2019
Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
Open source URL -
[5]
G Data Sodinokibi June 2019
Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
Open source URL -
[6]
Kaspersky Sodin July 2019
Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
Open source URL -
[7]
McAfee REvil October 2019
Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
Open source URL -
[8]
McAfee Sodinokibi October 2019
McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
Open source URL -
[9]
Picus Sodinokibi January 2020
Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
Open source URL -
[10]
Secureworks GandCrab and REvil September 2019
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
Open source URL -
[11]
Sodin
(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)
-
[12]
Sodinokibi
(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)
-
[13]
Talos Sodinokibi April 2019
Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
Open source URL -
[14]
Tetra Defense Sodinokibi March 2020
Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.
Open source URL -
[15]
mitre-attack S0496Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.