Threat Actor Profile
Description
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.
Confidence Score
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Sodinokibi ransomware group also known as REvil (Ransomware '
'Evil) operates as a ransomware-as-a-service (RaaS) model. '
'After the group compromised his victims, they would threaten '
"to publish the victim's sensitive data on their darknet blog "
"named 'Happy Blog', unless the ransom is paid. The ransomware "
'malware code used by REvil is pretty similar to the '
'ransomware code used by DarkSide - a different threat actor. '
'REvil group claims to steal information after a successful '
'attack on the supplier of the tech giant Apple and stole '
'confidential schematics of their upcoming products.',
'firstseen': '2019-08-26T00:00:00+00:00',
'group': 'revil',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2022-11-28T20:34:41.644515+00:00',
'locations': [{'available': False,
'fqdn': 'blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion',
'slug': 'http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion',
'slug': 'http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/',
'title': '404 Not Found',
'type': 'DLS'},
{'available': False,
'fqdn': 'aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion',
'slug': 'http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/',
'title': '404 Not Found',
'type': 'Chat'}],
'negotiation_count': 20,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion',
'slug': 'http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion',
'slug': 'http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/',
'title': '404 Not Found',
'type': 'DLS'},
{'available': False,
'fqdn': 'aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion',
'slug': 'http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/',
'title': '404 Not Found',
'type': 'Chat'}],
'negotiation_count': 20,
'ransomnotes_count': 3,
'ransomware_live_group': 'revil',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind', 'Bloodhound'],
'Exfiltration': ['PrivatLab',
'RClone',
'Sendspace'],
'LOLBAS': ['BITSAdmin'],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/revil',
'victims': 96,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind', 'Bloodhound'],
'Exfiltration': ['PrivatLab', 'RClone', 'Sendspace'],
'LOLBAS': ['BITSAdmin'],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': []},
'ttps': [],
'url': 'https://www.ransomware.live/group/revil',
'victims': 96,
'vulnerabilities': []}