News

REvil scams it`s own members

For the past few months cybercriminal world was full of rumours that REvil`s leadership, one of the most notorious ransomware groups, scam its own members. The information that was only known for the restricted number of people is now available to the public after several cybersecurity reports have been published.

REvil`s secret backdoor

Cybersecurity expert Yelisey Boguslavski, head of research at the cyber risk prevention firm Advanced Intelligence, shared on his Linkedin page the information on the scheme that was in action. Cyber security specialists already knew that this ransomware group used double chats. But in this report new evidence was discovered. A special backdoor could decrypt files secretly. Some sort of detour was created and the money went to others other than the affiliate themselves. Also, he added after examination of the newest samples it seems like after the reactivation ransomware malware was cleaned from the backdoor.

“It seems that the new samples were reworked and the backdoor was cleaned out, however, it is significant evidence of REvil’s practices as affiliate scammers. This evidence correlates with the underground’s approach to REvil as a talkative and perpetually lying group that should not be trusted by the community or even by its own members” — Yelisey Boguslavski on his Linkedin page1

A hacker that went by the name Signature shared his suspicions on one forum telling the case of how the victim was ready to pay 7 million dollars and suddenly the conversation abruptly somehow ended; he thinks that one of the REvil`s operators took the conversation. People who were affiliates of the Revils share similar suspicions.

Who REvil is?

REvil also known as Sodin or Sodinokibi is a ransomware-as-a-service (RAAS) business model that has a parental central who makes malware and affiliates who do a dirty job of negotiations and encrypting systems. This summer the group already got to the top of headlines when the work of a major meat supplier JBS and fuel supplier Colonial Pipeline was paralyzed. IT provider Kaseya was also affected by the gang and right after that the ransomware platform went offline. Not long ago many cybersecurity researchers have been making reports that the REvil resumed their work.

REvil ransomware ransom note

The usual way of work for the REvil`s affiliates is they get a payload to infect the victim and it`s then the task for the affiliates to dig in the network to secure the ransomware presence. The next stage comes when the negotiations over ransom payments are underway then the affiliates, who do all the hard work in terms of contacting the victim on behalf of the ransomware group, get all 70 percent from the income and the other 30 percent will go to the REvil`s leadership.

  1. https://www.linkedin.com/feed/update/urn:li:activity:6845837344713519104/
Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

6 hours ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

6 hours ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

6 hours ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

7 hours ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

10 hours ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

10 hours ago