Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

EnterpriseS0496MalwareObject v2.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

REvil is a Windows ransomware family described by ATT&CK as a configurable ransomware-as-a-service operation since at least April 2019, linked to GOLD SOUTHFIELD and used in activity affecting manufacturing, transportation, and electric-sector organizations. Its business significance is not only encryption: the ATT&CK relationships show behaviors tied to execution, discovery, stealth, exfiltration, remote services, service stopping, and ICS-relevant loss of productivity and revenue. Leaders should treat REvil coverage as a practical test of ransomware resilience across endpoints, identity, remote access, backups, incident response, and operational continuity.

Executive priority

Prioritize REvil as a resilience and readiness scenario rather than a single malware signature. The supplied ATT&CK context connects it to financially motivated groups, RaaS operations, Windows environments, and sectors where IT disruption can affect operational productivity. Executives should ask whether the organization can prove: critical Windows systems are monitored, privileged/domain group discovery is visible, remote service use is controlled, service-stopping activity is investigated quickly, exfiltration over common channels is detectable, and recovery plans cover manufacturing, transportation, electric, or other operational dependencies where relevant.

Technical view

SOC and IR teams should validate coverage against the related ATT&CK behaviors: PowerShell, Windows Command Shell, Visual Basic, WMI execution, process injection, registry queries, system service discovery, domain group discovery, masquerading, encoded or fileless storage, exfiltration over C2 channels, remote services, and service stop activity. Because ATT&CK provides no official detection text for this software object, detection engineering should be behavior-led and mapped to the associated techniques rather than relying only on malware names such as REvil, Sodin, or Sodinokibi.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • PowerShell script block, module, and operational logs where available
  • WMI activity logs and remote execution evidence
  • Windows Registry access and modification telemetry
  • Service control events, service stop events, and system service inventory changes

Detection direction

  • Build detections around chains of behavior: script or shell execution followed by discovery, registry queries, service enumeration, remote service use, service stopping, suspicious file activity, and outbound transfer patterns.
  • Tune administrative-tool detections carefully because PowerShell, WMI, command shell, service control, and remote services have legitimate uses; prioritize unusual parent-child processes, new hosts, unusual accounts, off-hours execution, or activity against high-value systems.
  • Validate visibility for stealth-related behaviors in the relationships, including process injection, encoded files, fileless storage, and masquerading with legitimate resource names or locations.
  • Correlate endpoint and identity telemetry for domain group discovery, especially where enumeration precedes lateral movement or privilege-focused activity.
  • For environments with operational technology dependencies, test whether SOC workflows can connect Windows ransomware behavior to ICS impacts such as service disruption, loss of productivity, or operational information theft.

Mitigation priorities

  • Start with resilience controls: tested offline or protected backups, recovery runbooks, and business-continuity plans for Windows-dependent operations.
  • Reduce execution risk by hardening and monitoring script interpreters and administrative execution paths such as PowerShell, command shell, Visual Basic, and WMI.
  • Limit blast radius through least privilege, privileged group governance, domain group monitoring, and segmentation between user, server, and operational environments where applicable.
  • Control and monitor remote services used for administration or lateral movement, with strong authentication and logging.
  • Protect critical services from unauthorized stopping or tampering and ensure alerts for service disruption are routed to responders with business context.
Analyst notes and limits

This take is based on ATT&CK S0496 REvil, its official description, external references, and supplied relationships. The object is a malware/software entry for Windows, with no official ATT&CK detection guidance. Relationships link REvil to GOLD SOUTHFIELD and FIN7 and to both enterprise and ICS techniques, including impact-relevant ICS behaviors. Local validation should determine which related techniques are relevant to the organization’s architecture and which telemetry sources are actually retained and searchable.

The supplied ATT&CK fields do not provide current activity claims, detailed procedures, indicators of compromise, guaranteed detections, or environment-specific impact. Tactics for the malware object itself are not specified, and several relationship descriptions are truncated. Any prioritization should be confirmed against local asset criticality, identity architecture, remote access exposure, backup maturity, and sector-specific operational dependencies.

Official MITRE ATT&CK definition

REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

35 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[4][5][6][7][2][8][1][9]
Enterprise T1059.003 Windows Command Shell Sub-technique

REvil can use the Windows command line to delete volume shadow copies and disable recovery.[5][6][8][1]
Enterprise T1059.001 PowerShell Sub-technique

REvil has used PowerShell to delete volume shadow copies and download files.[10][6][2][3]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

REvil has encrypted C2 communications with the ECIES algorithm.[4]
Enterprise T1055 Process Injection

REvil can inject itself into running processes on a compromised host.[7]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

REvil can mimic the names of known executables.[8]
Enterprise T1112 Modify Registry

REvil can modify the Registry to save encryption parameters and system information.[5][10][11][2][1]
Enterprise T1485 Data Destruction

REvil has the capability to destroy files and folders.[4][10][11][11][2][8][1]
Enterprise T1012 Query Registry

REvil can query the Registry to get random file extensions to append to encrypted files.[1]
Enterprise T1059.005 Visual Basic Sub-technique

REvil has used obfuscated VBA macros for execution.[12][8]
Enterprise T1041 Exfiltration Over C2 Channel

REvil can exfiltrate host and malware information to C2 servers.[1]
Enterprise T1489 Service Stop

REvil has the capability to stop services and kill processes.[2][1]
Enterprise T1082 System Information Discovery

REvil can identify the username, machine name, system language, keyboard layout, and OS version on a compromised host.[4][5][10][11][11][2][3][1]
Enterprise T1106 Native API

REvil can use Native API for execution and to retrieve active services.[1][2]
Enterprise T1204.002 Malicious File Sub-technique

REvil has been executed via malicious MS Word e-mail attachments.[12][7][8]
Enterprise T1134.002 Create Process with Token Sub-technique

REvil can launch an instance of itself with administrative rights using runas.[1]
Enterprise T1685 Disable or Modify Tools

REvil can connect to and disable the Symantec server on the victim's network.[5]
Enterprise T1480.002 Mutual Exclusion Sub-technique

REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.CitationSecureWorks September 2019
Enterprise T1083 File and Directory Discovery

REvil has the ability to identify specific files and directories that are not to be encrypted.[4][5][10][11][2][1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

REvil has used encrypted strings and configuration files.[12][10][11][2][3][8][1]
Enterprise T1189 Drive-by Compromise

REvil has infected victim machines through compromised websites and exploit kits.[1][11][8][10]
Enterprise T1007 System Service Discovery

REvil can enumerate active services.[2]
Enterprise T1047 Windows Management Instrumentation

REvil can use WMI to monitor for and kill specific processes listed in its configuration file.[10][3]
Enterprise T1140 Deobfuscate/Decode Files or Information

REvil can decode encrypted strings to enable execution of commands and payloads.[12][4][5][11][2][1]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

REvil has been distributed via malicious e-mail attachments including MS Word Documents.[12][5][1][11][8]
Enterprise T1105 Ingress Tool Transfer

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[6][11][8]
Enterprise T1688 Safe Mode Boot

REvil can force a reboot in safe mode with networking.CitationBleepingComputer REvil 2021
Enterprise T1680 Local Storage Discovery

REvil can identify system drive information on a compromised host.[4][5][10][11][11][2][3][1]
Enterprise T1614.001 System Language Discovery Sub-technique

REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.[4]
Enterprise T1134.001 Token Impersonation/Theft Sub-technique

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[11]
Enterprise T1071.001 Web Protocols Sub-technique

REvil has used HTTP and HTTPS in communication with C2.[5][10][11][2][1]
Enterprise T1069.002 Domain Groups Sub-technique

REvil can identify the domain membership of a compromised host.[4][11][1]
Enterprise T1070.004 File Deletion Sub-technique

REvil can mark its binary code for deletion after reboot.[2]
Enterprise T1490 Inhibit System Recovery

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[4][5][10][6][11][2][8][1][9]
Enterprise T1027.011 Fileless Storage Sub-technique

REvil can save encryption parameters and system information in the Registry.[5][10][11][2][1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Group Enterprise

G0115: GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1485: Data Destruction Enterprise uses · Technique T1012: Query Registry Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Group G0046: FIN7 Enterprise uses · Technique T1134.002: Create Process with Token Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1480.002: Mutual Exclusion Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1189: Drive-by Compromise Enterprise uses · Technique T1007: System Service Discovery Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.3
Created
Modified
Raw hash
9956d73492ac6a37...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.3 Current bundle 9956d73492ac…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Secureworks REvil September 2019

    Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

    Open source URL
  2. [2]
    Intel 471 REvil March 2020

    Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.

    Open source URL
  3. [3]
    Group IB Ransomware May 2020

    Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.

    Open source URL
  4. [4]
    Kaspersky Sodin July 2019

    Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.

    Open source URL
  5. [5]
    Cylance Sodinokibi July 2019

    Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.

    Open source URL
  6. [6]
    Talos Sodinokibi April 2019

    Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.

    Open source URL
  7. [7]
    McAfee REvil October 2019

    Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.

    Open source URL
  8. [8]
    Picus Sodinokibi January 2020

    Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.

    Open source URL
  9. [9]
    Tetra Defense Sodinokibi March 2020

    Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.

    Open source URL
  10. [10]
    Secureworks GandCrab and REvil September 2019

    Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.

    Open source URL
  11. [11]
    McAfee Sodinokibi October 2019

    McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.

    Open source URL
  12. [12]
    G Data Sodinokibi June 2019

    Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.

    Open source URL
  13. [13]
    Sodin

    (Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)

  14. [14]
    Sodinokibi

    (Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)

  15. [15]
    mitre-attack S0496
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use