REvil creators fooling affiliates to keep 100% of the ransom payments

Ransomware developers use backdoor malware to cut off affiliates and keep the entire ransom

Affiliates of the REvil ransomware scammed by the gang with the help of backdoors and double chats

Cybercriminals released the malware piece hijacking the process of victim negotiations with affiliates to obtain the 70% of the payment, which normally goes to affiliates.^[1] Ransomware-as-a-service^[2] is the threat that relies on particular hackers and experienced criminals who help with breaching and encryption during attacks of the REvil ransomware.^[3] Net method was found that helped to obtain proceedings, typically divided, so ransomware developers get the full ransom payment all to themselves.

The newly reborn REvil or Sodinokibi gang released new samples that researchers managed to analyze. A backdoor and double chats method enables the original cryptovirus creators to hijack the communication with victims and scoop the payment cut from affiliates. This additional malware piece also enables threat actors to decrypt workstations and files.

However, this scam on its own affiliates shouldn't encourage hackers to work with the ransomware gang. Affiliates do all the dirty work, compromise the system, steal the data, negotiate, encrypt those targeted machines. The ransomware was seemingly shut down^[4] but these activities show that the infection is actively spreading around still. This is why the initial developer gets about 30%.

The usage of double chats and backdoor malware

Ransomware operators received a bad reputation due to this activity because many people who have worked with the group reported the behavior in dark forums since at least 2020. Actors take over negotiations by opening the second chat when affiliates negotiate the amount of ransom with victims. Once the critical point is reached, REvil would take over and receive the full payment from the victim by quitting negotiations off on the end of the affiliate.

By using this backdoor, REvil can hijack victim cases during active negotiations with affiliates and obtain the 70% of ransom payments that are supposed to go to the affiliates.

These claims are only reported from other hackers, but the only way to get the evidence would be to infiltrate the ransomware network and get the information about those double chats. This setup is possible due to the use of a backdoor that serves as a hijacker since it allows the secret decryption of files.

Decryption keys were released before and after the rebirth of REvil

It was first speculated that security teams have the decryption keys for REvil victims, but then it was fully confirmed because BitDefender released a free decryptor key working for many victims of this ransomware.^[5] The FF5EEDCAEDEE6250D488F0F04EFA4C957B557BDBDC0BBCA2BA1BB7A64D043A3D key is working for the victims affected by this threat before the July 13th, 2021.

This summer showed extreme activities of the REvil ransomware, and victims were put into panic mode. It was surfacing that the FBI is secretly withholding the key that can restore those encoded files. For three weeks, when the REvil was attacking at least 1,500 networks belonging to hospitals, schools, businesses, the FBI had the decryption key to themselves.^[6]

Servers of ransomware developed got penetrated by law enforcement, and those decryption keys were obtained. However, the team decided to wait before publishing these keys, so the criminals could be stopped instead. The FBI had no time to step in because the gang stopped their activities before any actions from the bureau. But after these months of silence, REvil came back this month with new strings and versions that are not decryptable with any of the available tools. The downtime was for regrouping and evolvement.