For the past few months cybercriminal world was full of rumours that REvil`s leadership, one of the most notorious ransomware groups, scam its own members. The information that was only known for the restricted number of people is now available to the public after several cybersecurity reports have been published.
REvil`s secret backdoor
Cybersecurity expert Yelisey Boguslavski, head of research at the cyber risk prevention firm Advanced Intelligence, shared on his Linkedin page the information on the scheme that was in action. Cyber security specialists already knew that this ransomware group used double chats. But in this report new evidence was discovered. A special backdoor could decrypt files secretly. Some sort of detour was created and the money went to others other than the affiliate themselves. Also, he added after examination of the newest samples it seems like after the reactivation ransomware malware was cleaned from the backdoor.
“It seems that the new samples were reworked and the backdoor was cleaned out, however, it is significant evidence of REvil’s practices as affiliate scammers. This evidence correlates with the underground’s approach to REvil as a talkative and perpetually lying group that should not be trusted by the community or even by its own members” — Yelisey Boguslavski on his Linkedin page1
A hacker that went by the name Signature shared his suspicions on one forum telling the case of how the victim was ready to pay 7 million dollars and suddenly the conversation abruptly somehow ended; he thinks that one of the REvil`s operators took the conversation. People who were affiliates of the Revils share similar suspicions.
Who REvil is?
REvil also known as Sodin or Sodinokibi is a ransomware-as-a-service (RAAS) business model that has a parental central who makes malware and affiliates who do a dirty job of negotiations and encrypting systems. This summer the group already got to the top of headlines when the work of a major meat supplier JBS and fuel supplier Colonial Pipeline was paralyzed. IT provider Kaseya was also affected by the gang and right after that the ransomware platform went offline. Not long ago many cybersecurity researchers have been making reports that the REvil resumed their work.
The usual way of work for the REvil`s affiliates is they get a payload to infect the victim and it`s then the task for the affiliates to dig in the network to secure the ransomware presence. The next stage comes when the negotiations over ransom payments are underway then the affiliates, who do all the hard work in terms of contacting the victim on behalf of the ransomware group, get all 70 percent from the income and the other 30 percent will go to the REvil`s leadership.