The German Federal Criminal Police Office (Bundeskriminalamt or BKA) has dealt a significant blow to the legacy of the REvil (Sodinokibi) ransomware-as-a-service (RaaS) operation by unmasking the real identity of a key threat actor known by the alias "UNKN." This actor served as a primary representative for the group, actively advertising their encryption-based cyber incident services on the XSS cybercrime forum as far back as June 2019.
While the REvil infrastructure was largely dismantled in previous years, this identification is not just historical closure; it is a stark reminder of the persistence of RaaS economics. For defenders, this news reinforces the reality that the "service" side of ransomware—the marketing, recruitment, and affiliate management—creates a resilient attack surface. This analysis breaks down the REvil RaaS model and provides critical defensive strategies to protect your organization from similar "encryption-as-a-service" threats.
Technical Analysis
While this specific intelligence report focuses on attribution rather than a new vulnerability disclosure, understanding the technical mechanics of the REvil operation that "UNKN" supported is vital for defense.
The RaaS Operational Model
- Affiliate Structure: REvil operated strictly as a RaaS. Core developers developed the encryption binary and payment portal, while affiliates (like those recruited by UNKN) conducted the initial intrusion and lateral movement.
- Attack Vector (Historical Context): REvil affiliates historically exploited vulnerabilities in on-premise VPN appliances (e.g., Fortinet, Pulse Secure) and Microsoft Exchange servers (ProxyShell). The "encryption-based cyber incident" advertised by UNKN was the final payload stage of a multi-week intrusion.
- The Role of UNKN: As a representative, UNKN operated on the XSS forum to vet affiliates. From a defensive perspective, this highlights that the intrusion likely originated from an "Initial Access Broker" (IAB) who sold access to the network to an REvil affiliate. This supply chain (IAB -> Affiliate -> Core Developer) creates multiple detection opportunities.
Impact and Severity
The BKA has linked UNKN and the REvil operation to at least 130 attacks within Germany alone. Globally, this group was responsible for hundreds of millions of dollars in damages. The severity lies in the sophistication of the encryption routine and the aggressive double-extortion tactics (encrypting files + threatening to leak data) that UNKN helped market.
Executive Takeaways
Given the strategic nature of this attribution news, specific IOCs (Indicators of Compromise) are not the primary deliverable here. Instead, defenders must adjust their organizational posture to account for the enduring RaaS model.
-
Disrupt the Initial Access Broker (IAB) Economy: Since REvil relied on affiliates buying access, your perimeter defense is your primary control. Prioritize the patching of internet-facing assets (VPN, RDP, Email) immediately. If IABs cannot sell access to your network, RaaS affiliates cannot deploy the payload.
-
Assume Identity Compromise: RaaS affiliates frequently use valid credentials to move laterally once inside. Implement strict Privileged Access Management (PAM) and enforce phishing-resistant MFA (FIDO2) to limit the blast radius if an IAB successfully sells an access credential involving your network.
-
Focus on Backup Immutability: REvil's primary value proposition was "guaranteed" encryption. The only reliable remediation for a successful REvil-style attack is an immutable backup that cannot be encrypted or deleted by the attacker. Test restore procedures monthly.
-
Telemetry Over Prevention: You cannot prevent every phishing email or zero-day. You must, however, detect the activity that follows. Ensure your SIEM is ingesting logs specifically designed to catch lateral movement (e.g., 4624/4625 ID logs, PowerShell script block logging) rather than just relying on endpoint antivirus to catch the final payload.
-
Supply Chain Risk Assessment: Acknowledge that your attackers may be purchasing services just as you do. Threat intelligence should focus on tracking forums (like XSS) and marketplaces to know when new "products" or RaaS offerings are being advertised, allowing you to preemptively adjust your threat models.
Detection & Response
Sigma Rules
title: Potential Shadow Copy Deletion via Vssadmin
id: 9e2c5653-9e4a-4f9e-9b5a-1b1b1b1b1b1b
status: experimental
description: Detects the execution of vssadmin with arguments to delete shadow copies, a common step in ransomware operations like REvil to prevent recovery of encrypted files.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/06
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'delete'
- 'shadows'
condition: selection
falsepositives:
- System administration
- Backup software maintenance
level: high
---
title: Suspicious File Decode via Certutil
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the use of certutil to decode files, a technique often used by RaaS affiliates like REvil to download and decrypt payloads or configuration files on a compromised host.
references:
- https://attack.mitre.org/techniques/T1140/
author: Security Arsenal
date: 2026/04/06
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-decode'
- '/decode'
condition: selection
falsepositives:
- Legitimate software installation or system administration scripts
level: medium
KQL — Microsoft Sentinel / Defender
// Hunt for REvil (Sodinokibi) Affiliate Behavior
// Correlates common payload delivery mechanisms (LOLBins) with defense evasion
// tactics (Shadow Copy deletion) often used by RaaS operators before encryption.
let TimeFrame = 24h;
let PayloadDelivery = DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("certutil.exe", "bitsadmin.exe", "powershell.exe", "cmd.exe", "mshta.exe")
| where ProcessCommandLine has_any ("urlcache", "transfer", "downloadfile", "downloadstring", "iex ", "invoke-webrequest", "hidden")
| project DeliveryTime=Timestamp, DeviceName, DeliveryCommand=ProcessCommandLine, AccountName, InitiatingProcessFileName;
let DefenseEvasion = DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("vssadmin.exe", "wmic.exe", "powershell.exe", "cmd.exe", "net.exe")
| where ProcessCommandLine has_any ("delete shadows", "delete shadowstorage", "resize shadowstorage", "stop", "disabled", "Set-MpPreference", "Add-MpPreference")
| project EvasionTime=Timestamp, DeviceName, EvasionCommand=ProcessCommandLine, FileName;
PayloadDelivery
| join kind=inner (DefenseEvasion) on DeviceName
| where EvasionTime > DeliveryTime and (EvasionTime - DeliveryTime) <= 15m
| project DeliveryTime, DeviceName, AccountName, DeliveryCommand, EvasionTime, EvasionCommand
| order by DeliveryTime desc
Velociraptor VQL
name: Hunt.REvil.RaaS.UNKN
description: |
Incident Response hunt for REvil (Sodinokibi) RaaS indicators attributed
to actor "UNKN". This artifact scans for ransom notes, payloads in
suspicious directories, processes executing backup deletion commands,
and active C2 network connections.
sources:
- name: FileSystemScan
description: |
Hunts for REvil ransom notes (README.txt) and executables dropped in
common persistence paths (AppData, ProgramData) often used by affiliates.
query: |
SELECT FullPath,
stat(path=FullPath) AS FileStat,
lookupSID(sid=FileStat.Sys.Sid) AS OwnerSID
FROM glob(globs=[
"C:\\Users\\*\\*.README.txt",
"C:\\Users\\*\\AppData\\Roaming\\*.exe",
"C:\\Users\\*\\AppData\\Local\\Temp\\*.exe",
"C:\\ProgramData\\*.exe"
])
WHERE FileStat.Mtime > now() - 30 * 24 * 60 * 60
AND NOT FullPath =~ "C:\\Windows\\"
- name: ProcessAnalysis
description: |
Identifies active REvil processes or affiliate tools. Looks for
unsigned binaries running from User profiles or processes
deleting shadow copies (vssadmin).
query: |
SELECT Pid, Name, Exe, CommandLine,
Username,
lookupSID(sid=Sid) AS ResolvedSID
FROM pslist()
WHERE (Exe =~ "C:\\Users\\" OR Exe =~ "C:\\ProgramData\\")
OR (CommandLine =~ "vssadmin" AND CommandLine =~ "Delete")
OR (CommandLine =~ "wbadmin" AND CommandLine =~ "delete")
- name: NetworkConnections
description: |
Detects potential C2 beacons. Filters for established connections
initiated by processes running from non-standard paths.
query: |
SELECT Pid, Family, RemoteAddr, RemotePort, State,
lookupSID(sid=Uid) AS ConnectionUser
FROM netstat()
WHERE State = "ESTABLISHED"
AND RemoteAddr != "127.0.0.1"
AND RemoteAddr != "::1"
AND Pid != 0
Remediation Script
<#
.SYNOPSIS
REvil (Sodinokibi) Incident Response and Hardening Script
.DESCRIPTION
This script hunts for indicators of compromise (IOCs) associated with the REvil RaaS operation,
checks for vulnerabilities historically exploited by REvil affiliates (ProxyShell, PrintNightmare),
and enforces hardening measures to prevent initial access (RDP, SMBv1).
#>
#Requires -RunAsAdministrator
function Invoke-RevilCheck {
Write-Host "[*] Starting REvil (Sodinokibi) Threat Hunt and Hardening..." -ForegroundColor Cyan
# 1. HUNT FOR REvil FILE IOCs
# REvil typically creates a ransom note (often named __README__.txt or similar)
# and appends random or specific extensions (e.g., .fvejg, .dwkfr, .a6b0c, .revil)
Write-Host "`n[*] Checking for REvil File IOCs..." -ForegroundColor Yellow
$extensions = @("*.fvejg", "*.dwkfr", "*.a6b0c", "*.p5x0j", "*.revil", "*.locked", "*.encrypted")
$ransomNotes = @("__README__.txt", "_readme.txt", "REvilREADME.txt")
# Limit search scope to user profiles and common data directories to avoid system files
$searchPaths = @("$env:USERPROFILE", "C:\Users\Public", "$env:PUBLIC\Desktop")
$foundFiles = @()
foreach ($path in $searchPaths) {
if (Test-Path $path) {
# Search for encrypted extensions
foreach ($ext in $extensions) {
$files = Get-ChildItem -Path $path -Filter $ext -Recurse -ErrorAction SilentlyContinue
if ($files) { $foundFiles += $files }
}
# Search for ransom notes
foreach ($note in $ransomNotes) {
$files = Get-ChildItem -Path $path -Filter $note -Recurse -ErrorAction SilentlyContinue
if ($files) { $foundFiles += $files }
}
}
}
if ($foundFiles) {
Write-Host "[!] POTENTIAL THREAT DETECTED: Found files matching REvil IOC patterns." -ForegroundColor Red
$foundFiles | Select-Object FullName, LastWriteTime | Format-Table -AutoSize
} else {
Write-Host "[+] No REvil file IOCs found in standard user directories." -ForegroundColor Green
}
# 2. CHECK FOR CRITICAL VULNERABILITIES (Patch Status)
# REvil affiliates heavily exploited ProxyShell (Exchange) and PrintNightmare (Spooler).
Write-Host "`n[*] Checking Patch Status for REvil Exploited Vulnerabilities..." -ForegroundColor Yellow
# Check for PrintNightmare patches (KB5005010 / KB5004945 are rollups, checking OS Build is often more reliable)
$currentBuild = [System.Environment]::OSVersion.Version.Build
$osCaption = (Get-CimInstance Win32_OperatingSystem).Caption
Write-Host " Operating System: $osCaption (Build: $currentBuild)"
# Generic check for recent security updates (PrintNightmare was mid-2021, ProxyShell early 2021)
# If build is older than 19043.1165 (Win10 21H1) or equivalent, flags a warning.
$vulnStatus = $false
if ($osCaption -like "*Server 2019*" -or $osCaption -like "*Server 2016*") {
# Check for specific KB rollup numbers roughly
$hotfixes = Get-HotFix | Select-Object -ExpandProperty HotFixID
if ("KB5005010" -notin $hotfixes -and "KB5005565" -notin $hotfixes) {
Write-Host "[!] WARNING: System may be missing patches for PrintNightmare (CVE-2021-34527) frequently used by REvil." -ForegroundColor Red
$vulnStatus = $true
}
} elseif ($osCaption -like "*Windows 10*") {
if ($currentBuild -lt 19043) {
Write-Host "[!] WARNING: OS Build is outdated. REvil affiliates often target unpatched SMB/RDP/Print Spooler services." -ForegroundColor Red
$vulnStatus = $true
}
}
if (-not $vulnStatus) {
Write-Host "[+] OS appears to have major security updates (PrintNightmare/ProxyShell era)." -ForegroundColor Green
}
# 3. HARDENING: RDP and SMBv1 Configuration
# REvil often gains initial access via brute-forced RDP or unsecured SMB.
Write-Host "`n[*] Applying Hardening Rules (RDP/SMB)..." -ForegroundColor Yellow
# Check RDP Status
$rdpProperty = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpProperty.fDenyTSConnections -eq 0) {
Write-Host "[!] RDP is ENABLED. REvil affiliates use RDP for lateral movement." -ForegroundColor Red
Write-Host " Recommendation: Disable RDP if not required (Set-ItemProperty...)."
} else {
Write-Host "[+] RDP is Disabled." -ForegroundColor Green
}
# Check Network Level Authentication (NLA)
$userAuth = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -ErrorAction SilentlyContinue
if ($userAuth.UserAuthentication -eq 0) {
Write-Host "[!] NLA is DISABLED. This makes brute-force attacks easier." -ForegroundColor Red
} else {
Write-Host "[+] NLA is Enabled." -ForegroundColor Green
}
# Disable SMBv1 (Used by EternalBlue variants and other REvil initial access tools)
$SMBv1 = Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
if ($SMBv1.EnableSMB1Protocol -eq $true) {
Write-Host "[!] SMBv1 is ENABLED. Disabling for hardening..." -ForegroundColor Red
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Write-Host "[+] SMBv1 has been disabled." -ForegroundColor Green
} else {
Write-Host "[+] SMBv1 is Disabled." -ForegroundColor Green
}
# 4. SERVICE CHECK (Spooler)
# Print Spooler is a frequent vector.
Write-Host "`n[*] Checking Print Spooler Service..." -ForegroundColor Yellow
$spooler = Get-Service -Name "Spooler" -ErrorAction SilentlyContinue
if ($spooler.Status -eq "Running") {
Write-Host "[!] Print Spooler is Running. If printing is not needed, stop and disable this service." -ForegroundColor Red
} else {
Write-Host "[+] Print Spooler is not running." -ForegroundColor Green
}
Write-Host "`n[*] REvil Threat Hunt and Hardening Complete." -ForegroundColor Cyan
}
# Execute
Invoke-RevilCheck
Remediation
There is no specific patch for the "identification of a hacker," but the following remediation steps are mandatory to harden environments against the REvil TTPs that UNKN facilitated:
-
Patch Critical External Exposures: Audit your external attack surface immediately.
- Action: Patch all VPN appliances (Fortinet, Pulse Secure, Citrix) and Microsoft Exchange servers to the latest stable versions.
- Reference: Review the CISA Known Exploited Vulnerabilities (KEV) Catalog for prioritized RaaS exploits.
-
Disable Unused Remote Access:
- Action: Close RDP (TCP 3389) and SMB (TCP 445) to the internet from the firewall edge.
-
Implement Application Control:
- Action: Use AppLocker or Windows Defender Application Control (WDAC) to restrict the execution of unsigned binaries and common ransomware paths (e.g.,
C:\Windows\Temp\,C:\Users\Public\).
- Action: Use AppLocker or Windows Defender Application Control (WDAC) to restrict the execution of unsigned binaries and common ransomware paths (e.g.,
-
Secure Backups:
- Action: Ensure backups are stored offline or in an immutable cloud storage tier (WORM - Write Once Read Many).
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.