How REvil May Have Ripped Off Its Own Affiliates

2021-09-22 16:50

There's no honor between thieves, but this is beyond rude: Malware specialists have found evidence of how REvil's leadership may have screwed their own affiliates out of their cut of ransomware payouts.

REvil leadership pockets the remaining 30 percent in exchange for providing the ransomware payload that the affiliates use to seize control of victims' data and systems.

In recently acquired malware samples - taken from campaigns waged by both the original REvil operators and by the newcomer who started running the show after the gang's servers' went bye-bye in July, AdvIntel researchers identified the backdoor that could have enabled REvil leadership to decrypt workstations and files.

AdvIntel had already been aware that REvil has been using double-chats: That's when two identical chats are open with the victim, one by the affiliate and another by REvil leadership.

The threat intelligence firm doesn't have direct evidence of REvil leadership having used the backdoor to shut down the affiliate chat, to then imitate a victim who's decided to quit the negotiations without paying, and to then continue to negotiate with the victim to get the full income, but Boguslavskiy considers double chats and a backdoor to be "Significant evidence of REvil's practices as affiliate scammers."

"This evidence correlates with the underground's approach to REvil as a talkative and perpetually lying group that should not be trusted by the community or even by its own members," Boguslavskiy commented.

News URL

https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/