An official website of the United States Government Here's how you know

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Reward Offers for Information to Bring Sodinokibi (REvil) Ransomware Variant Co-Conspirators to Justice

Wanted Poster in English 
Wanted Poster in Russian
Wanted Poster in Ukranian


20211108 123940

NAME: Sodinokibi Ransomware as a Service (RaaS)
NATIONALITY: Various (Unknown)
CITIZENSHIP: Various (Unknown)

The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi (also known as REvil) ransomware variant transnational organized crime group.  In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi ransomware incident. 

The Sodinokibi ransomware variant appeared initially in April 2019 and has since victimized over 1,000 entities in multiple industry sectors, to include private businesses, law enforcement agencies, government agencies, and educational and medical institutions.  One recent and highly publicized ransomware incident that was perpetrated using the Sodinokibi RaaS was that against JBS Foods, a large provider of agricultural products primarily to Australia and the United States.  The incident affected 98 percent of their network of over 5,000 servers and caused a major disruption in food processing and delivery.  In addition, Sodinokibi RaaS was used to conduct an attack against Kaseya, an IT management company which provides network, application, and infrastructure services to thousands of small businesses and managed service providers.  The Kaseya attack not only impacted Kaseya’s operations, but also that of its clients around the world. 

Ransomware is a type of malicious software, or malware, that prevents a user from accessing computer files, systems, or networks until a ransom is paid for their return.  Ransomware incidents can cause costly disruptions to operations and the loss of critical information and data.  The Sodinokibi ransomware operates as a service wherein the extortion profit is shared between the RaaS owners and their affiliates.  The affiliates are the entities that actually effectuate the computer intrusion and deploy the ransomware.  Each affiliate uses its own intrusion method and negotiates the terms of the ransom demands with the victim.   

The FBI does not support the payment of a ransom in response to a ransomware incident.  Paying ransom demands encourages more ransomware incidents and provides an incentive to become involved in this type of illegal activity.  If you are the victim of a ransomware incident, please visit for more information on best practices for mitigating the impact of such incidents. 

If you have information, please contact the FBI at +1-800-CALL-FBI (225-5324) or via the Internet at  Subsequent communications can occur through the WhatsApp, Telegram, or Signal messaging applications- or any other application of the tipster’s choosing.  If you are located outside of the United States, please contact the nearest U.S. Embassy/Consulate.  If in the United States, please contact the local FBI office in your city.  


Government officials and employees are not eligible for rewards. 

U.S. Department of State

The Lessons of 1989: Freedom and Our Future