What is REvil Ransomware? How to Protect Your Organization Against it.

In the first half of 2024 alone, over 2,570 ransomware attacks were reported—averaging more than 14 daily attacks (Rapid7). Cybercrime experts warn that by 2031, a ransomware attack will occur every 2 seconds.

In a significant international operation, Russia’s Federal Security Service (FSB) arrested several members of the REvil ransomware group, one of the world’s most notorious cybercriminal organizations. REvil was responsible for high-profile ransomware attacks on businesses and critical infrastructure worldwide, extorting millions by encrypting victims’ data and demanding ransom payments, often threatening to leak sensitive information.

Despite this takedown, ransomware remains a persistent and evolving threat. Cybercriminal organizations often rebrand, regroup, and develop new attack methods.

In this blog, we’ll explore the details of the REvil arrests, examine why this takedown is significant for cybersecurity, and discuss how organizations should strengthen their security strategies to stay protected against evolving ransomware threats.

Understanding REvil Ransomware Scam

REvil (Ransomware Evil) was a highly sophisticated ransomware-as-a-service (RaaS) operation, allowing cybercriminals to rent their ransomware tools in exchange for a share of the ransom payments. The group first emerged in 2019 and quickly became one of the most aggressive ransomware gangs in history.

Check out our article “What is Ransomware?” for an in-depth look at ransomware and how it operates.

Also, read our blog on Ransomware in 2025: Lessons from Locy and Modern Defense Strategies for further details on modern strategies.

How REvil Ransomware Work?

REvil used double extortion tactics, meaning they didn’t just encrypt victims' files but also stole sensitive data. If victims refused to pay, REvil would threaten to leak the stolen information online. This tactic pressured organizations into paying, even if they could recover their data from backups.

Key elements of the REvil ransomware scam included:

• Targeting high-profile businesses and critical infrastructure to demand massive ransoms.
• Spreading through phishing emails, software vulnerabilities, and remote desktop protocol (RDP) attacks.
• Demanding payments in cryptocurrency, making transactions harder to trace.
• Selling access to their ransomware on underground forums, enabling cybercriminals worldwide to launch attacks.

Notorious REvil Attacks

REvil was responsible for some of the most damaging cyberattacks, including:

• JBS Foods (2021) – The world’s largest meat supplier was forced to pay an $11 million ransom after REvil shut down its operations.
• Kaseya (2021) – A supply chain attack on IT management company Kaseya impacted up to 1,500 businesses worldwide.
• Travelex (2020) – A ransomware attack crippled the foreign exchange company, forcing it into administration.

Despite the recent arrests of REvil members, ransomware remains a major cybersecurity threat. Cybercriminals regroup under new names, refining their tactics to exploit businesses and individuals.

Organizations must remain vigilant by implementing strong security awareness training, phishing simulations, and incident response strategies.

Inside the REvil Ransomware Takedown

In January 2022, Russia’s Federal Security Service (FSB) conducted raids across Moscow and St. Petersburg, dismantling the REvil ransomware group. The operation resulted in 14 arrests and the seizure of $5.6 million in assets, including 426 million rubles, $600,000 in cryptocurrency, €500,000 in cash, and 20 luxury cars purchased with ransomware profits.

This crackdown was initiated at the request of U.S. authorities, following intelligence shared by U.S. law enforcement linking REvil to cyber extortion against American businesses. The FSB later declared that REvil had “ceased to exist,” but none of the arrested individuals will be extradited to the United States (Source: BankInfoSecurity).

While this takedown is a major victory, ransomware groups are known to rebrand and evolve. The case highlights the importance of international cooperation in combating cybercrime, as well as the need for businesses to remain vigilant against emerging threats.

How to Protect Your Organization Against REvil Ransomware?

The fall of REvil is a warning, not a solution. Companies must take proactive steps to strengthen their security and reduce ransomware risks.

1. Prioritize Adaptive Security Awareness and Training

Employees remain the first line of defense against cyber threats, but traditional security awareness training is no longer enough. Adaptive training powered by AI, behavioral nudges, and gamification can significantly enhance engagement and retention. This approach:

• Uses AI-driven learning paths tailored to individual employee risk levels.
• Incorporates real-time behavioral nudges to reinforce security best practices.
• Engages employees with gamification elements, making cybersecurity training more interactive and effective.

With attackers constantly evolving, security awareness training must evolve too. Check out Keepnet Security Awareness Training to equip your team with the latest defense strategies.

2. Use Threat Intelligence Tools

Staying ahead of cyber threats requires real-time threat intelligence to detect risks before they escalate. These tools help organizations identify breached credentials, monitor domain exposure, and track evolving attack methods.

Key Benefits:

• Breach Detection – Identify compromised passwords and exposed email addresses.
• Continuous Monitoring – Get real-time alerts on emerging threats.
• Seamless Integration – Connect with existing security systems and SIEM solutions.
• Privacy Protection – Encrypted searches ensure data security.

Check if your company’s data is compromised with Keepnet Threat Intelligence.

3. Implement Incident Response Solutions

A fast response can prevent ransomware from spreading and causing serious damage. Without an efficient system, threats may go undetected, increasing the risk of a breach. Incident Responder tools enable employees to report suspicious emails instantly, allowing security teams to act quickly.

Keepnet Incident Responder enhances threat management by:

• Detecting and analyzing threats 48.6x faster with AI and 20+ analysis engines.
• Automatically investigating and removing threats from thousands of inboxes in minutes.
• Seamlessly integrating with major email platforms like Office 365 and Google Workspace.

A strong incident response system helps organizations stay ahead of evolving cyber threats.

4. Conduct Regular Phishing Simulations

Phishing remains the primary entry point for ransomware attacks, making real-world training essential. Adaptive phishing simulations help employees recognize and respond to threats by adjusting difficulty levels based on user behavior.

Keepnet Phishing Simulator enhances security awareness by:

• Using AI-powered simulations to mimic real-world phishing attacks.
• Adapting training to employee behavior, improving learning effectiveness.
• Increasing phishing reporting rates by up to 92%, reducing human risk.

Proactive phishing training strengthens an organization’s resilience against evolving cyber threats.

5. Develop and Test a Ransomware Response Plan

No defense is foolproof—ransomware can still breach even the most secure systems. A well-prepared ransomware response plan ensures a swift recovery and minimizes damage. Organizations should:

• Maintain secure data backups to restore critical files without paying ransom.
• Establish clear incident response protocols to contain and mitigate attacks.
• Regularly test recovery steps to ensure a fast and effective response.

A strong, tested plan reduces downtime, protects data, and keeps business operations running smoothly.

Please also check our article on Ransomware 2025 and modern defense strategies.

The Bigger Picture: Cybersecurity Beyond REvil

The REvil arrests demonstrate progress in the fight against cybercrime, but ransomware groups will continue to evolve. New threats will emerge, and cybercriminals will adapt their tactics to bypass defenses.

To stay protected, organizations must take a proactive approach by:

• Providing ongoing security awareness training to keep employees informed on evolving threats.
• Strengthening incident response strategies to detect and contain attacks faster.
• Leveraging advanced cybersecurity tools to identify and mitigate risks in real-time.

Building a resilient security culture requires continuous training, simulation, and automated response.

Keepnet’s Extended Human Risk Management platform helps organizations combat employee-driven threats, insider risks, and social engineering through AI-driven phishing simulations, adaptive training, and automated phishing response—ensuring long-term protection against cyber threats.

This blog post was updated on February 25, 2025.