Security News > 2021 > September > REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
A day after news broke about REvil having screwed their own affiliates out of ransomware payments - by using double chats and a backdoor that let REvil operators hijack ransom payments - those affiliates took to the top Russian-language hacking forum to renew their demands for REvil to fork over their pilfered share of ransom payments.
REvil leadership was supposed to pocket the remaining 30 percent - and only that much - of ransom payments, in exchange for providing the ransomware payload that the affiliates use to seize control of victims' data and systems.
That's what happened with DarkSide, responsible for the Colonial Pipeline attack: Affiliates had a tough time getting paid for their work after DarkSide's servers were shut down in May, so they turned to admins of the group's Dark Web criminal forum to sort things out.
According to AdvIntel's Yelisey Boguslavskiy - head of research at the cyber risk prevention firm - aggravated, scammed affiliates had taken that route in May 2021, seeking to recoup $21.5 million USD from REvil for allegedly scamming them.
The threat actor's reiteration confirmed AdvIntel's assumption: REvil leadership did indeed create a backdoor that enabled them to cut off ransom negotiations between victims and the gang's own affiliates, to run a double chat that enabled leadership to pose as victims who threw in the towel mid-negotiation, and to then step in to resume the negotiations, cut the affiliates out of the deal, and pocket the entire ransom payment.
It wasn't just the aggrieved affiliate who confirmed how slimy the REvil slimebags were, Boguslavskiy added: "Moreover, the representative of #LockBit also joined the discussion and stated that former REvil affiliates shared with them that they were scammed due to the double chat scheme."
News URL
https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/