Latest victim of REvil Ransomware Group: its own subsidiaries


Security of critical infrastructure, Cybercrime, Cybercrime as-a-service

Double Negotiations and Malware Backdoor Lets Admins Scam Profit-Running Affiliates

Mathew J. Schwartz (euroinfosec) •
September 25, 2021

Ransom note left by REvil / Sodinokibi on a crypto-locked system (Source: Elliptic)

Ransomware attackers love to lie.

See also: On-demand webinar | Cloud Applications: A Zero Trust Approach to Healthcare Security

Of course, they never knowingly touched the health sector or other so-called critical infrastructure. If they say they stole data, there is no doubt that they really stole data.

In addition, each ransom note is carefully calibrated to ensure that a victim can pay without closing their doors. Crypto-locking malware is also lovingly developed and tested to ensure that its encryption routines never inadvertently destroy files before deleting the original, leaving the files unrecoverable with any decryptor.

And when law enforcement or geopolitical heat gets too strong, ransomware operations never pretend to retire before opening their store under a new name.

Affiliates are also getting ripped off

To the long list of criminal fabrications, shocking as it may sound, is added a new scam, which involves ransomware-as-a-service operations that not only lie to the victims, but also to the business partners of the criminals.

So say researchers at New York-based threat intelligence firm Advanced Intelligence, aka AdvIntel, who note that malware reverse engineering specialists on the Exploit Cybercrime forum analyzed samples of REvil. earlier this year and recently reported finding a backdoor that could be used by administrators to decrypt systems and files encrypted with the malware.

“It looks like the backdoor has been around since Operation REvil RaaS began, and it disappeared when REvil was restarted. In other words, the old REvil – the one before it left in July – had the backdoor, and the new one, restarting in September, has none, ”says Yelisey Boguslavskiy, research manager at AdvIntel.

Ransomware as a service operations typically involve the operation of developing – or finding someone to develop – the malware, which they provide as a service to affiliates, who download malware executables through a portal and ‘use to infect targets. If a victim pays, the affiliate gets the agreed reduction, which for REvil was typically 70% for the affiliate, with the operator keeping 30%.

Or at least that’s the deal. “By using this backdoor, REvil can hijack victims’ cases in active negotiations with affiliates and get the 70% of the ransom payments that are supposed to go to affiliates,” AdvIntel explains.

“We previously knew that REvil used double chats when two identical chats were opened with the victim by the affiliate and by REvil management,” AdvIntel said. “At a critical point in negotiations, management turned off affiliate chat – mimicking the victim leaving negotiations without paying – while continuing to negotiate with the victim for full income.”

AdvIntel says the latest findings strengthen REvil’s reputation in the underground “as a talkative and perpetually lying group that the community or even its own members should not be trusted.”

REvil partner reopens claim

After releasing its report, AdvIntel said a well-known member of a leading Russian-language cybercrime forum cited his research to support the claim that he had been scammed out of $ 21 million in profits by REvil, after admins use double chat. tactical capability and backdoor. Reading between the lines, the affiliate might have been able to file a restitution claim, so to speak, through the cybercrime forum – if this is how REvil came to contract its services and if the forum intends dispute resolution. Or the Affiliate could seek restitution and a public apology, if REvil wants to try and restore its reputation.

AdvIntel says a representative for LockBit also weighed in, stating “that former REvil affiliates have shared with them that they have been scammed due to the double chat system” (see: 9 takeaways: LockBit 2.0 Ransomware Rep ‘Says It All’).

Security experts say competition remains fierce to recruit the most qualified affiliates as they help operators reach bigger targets and reap bigger ransoms.

But not all affiliates are highly qualified. For example, a US government cybersecurity advisory released this week indicates that unlike the traditional affiliate model, Conti does not appear to share the profits but rather pay at least some affiliates a fixed salary. But at least one affiliate reports being cheated, leading them to disclose the manuals the group uses to train new, inexperienced affiliates.

Reports that REvil and Conti have underpaid their affiliates could scare them away and complicate the group’s efforts to recruit new affiliates through cybercrime forums, some of whom already claim to have banned anything related to ransomware.

Cybercrime Forum user receives warning for attempting to trade ransomware. (Source: Digital Shadows)

REvil Went Dark – Temporarily

REvil has recently resumed operations, having disappeared in July. The reason for the silence of the operation is not known. Perhaps administrators were keeping a low profile after the White House announced a crackdown. Maybe they were just on vacation. Or maybe they were taking the time to regroup, after law enforcement authorities were granted the ability to decrypt any file previously crypto-locked by REvil.

AdvIntel says new samples of REvil recently seen in the wild no longer have the backdoor capability. But with REvil controlling the development and distribution of its crypto-locking malware, it could reestablish a backdoor at any time.

It has always been an Achilles heel for affiliates. Namely, they only receive their share after the operator has processed the payment in cryptocurrency, which is usually done via bitcoin or monero. Once the operator retains its share, the rest is routed to a wallet controlled by the affiliate.

Some operators, however, not only provide a data breach site to name and humiliate victims and a payment portal to receive ransoms, but also handle negotiations. In such cases, what guarantees would an affiliate have that they actually received their due, except for the reputation of other criminals they work with?

Operate in the shadows

This is perhaps one more reason why ransomware attackers prefer to operate in the shadows. When victims enter the payment portal, they often see a countdown, threatening to double the ransom demand if they don’t pay quickly. After that, the threats usually escalate: a victim will be “named and humiliated” via a group’s dedicated data breach site, after which their data will be transferred as a lesson to future victims. Or victims can pay, for the promise of a decryptor, that the stolen data will be deleted and no one will ever be wiser (see: Ransomware Stopper: Mandatory Ransom Payment Disclosure).

For attackers, the fewer incidents that are publicly disclosed – or reported privately to law enforcement – the better, and this is one of the reasons why operations like Ragnar Locker and Grief have gone downhill. issued a wacky threat to immediately disclose a victim’s data and never give them a decryptor. if they have the temerity to call in law enforcement officials or a professional ransomware trading company.

But hiding the facts of an attack can also help administrators rip off their affiliates. Then again, this shouldn’t come as a surprise. Ransomware attackers continue to prove that they will lie about anything, to anyone, in their quest for illicit profit.


About Author

Leave A Reply