The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.