Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

REvil Ransomware Group's Latest Victim: Its Own Affiliates

Double Negotiations and Malware Backdoor Let Admins Scam Affiliates Out of Profits
REvil Ransomware Group's Latest Victim: Its Own Affiliates
Ransom note left by REvil/Sodinokibi on a crypto-locked system (Source: Elliptic)

Ransomware-wielding attackers love to lie.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

Of course they never knowingly hit the healthcare sector or other so-called critical infrastructure. If they say they've stolen data, without a doubt they really stole data.

In addition, every ransom demand comes carefully calibrated to ensure that a victim can pay without going out of business. Crypto-locking malware is also lovingly developed and tested to ensure its encryption routines never inadvertently shred files before deleting the original, thus leaving the files unrecoverable with any decryptor.

And when the law enforcement or geopolitical heat gets to be too much, ransomware operations never pretend to retire before opening up shop under a new name.

Affiliates Get Scammed Too

To the long list of criminal fabrications, shocking though this may seem, add a new scam, which involves ransomware-as-a-service operations not just lying to victims, but also the criminals' business partners.

So say researchers at New York-based threat intelligence firm Advanced Intelligence, aka AdvIntel, who note that malware reverse-engineering specialists on the Exploit cybercrime forum analyzed REvil samples from earlier this year and recently reported finding a backdoor that could be used by administrators to decrypt systems and files encrypted using the malware.

"It looks like the backdoor was around since the very beginning of the REvil RaaS operation and it disappeared during REvil's restart. In other words, the old REvil - the one before quitting in July - had the backdoor, and the new one, restarting in September, doesn't have one," says Yelisey Boguslavskiy, head of research at AdvIntel.

Ransomware-as-a-service operations typically involve the operation developing - or finding someone to develop - the malware, which they provide as a service to affiliates, who download malware executables via a portal and use it to infect targets. If a victim pays, the affiliate gets their pre-agreed cut, which for REvil was typically 70% for the affiliate, with the operator keeping 30%.

Or at least, that's the agreement. "By using this backdoor, REvil can hijack victim cases during active negotiations with affiliates and obtain the 70% of ransom payments that are supposed to go to the affiliates," AdvIntel says.

"We have previously known that REvil has been using double chats when two identical chats are open with the victim by the affiliate and by REvil leadership," AdvIntel says. "At a critical point of negotiations, the leadership switched down the affiliate chat - imitating the victim quitting the negotiations without paying - while continuing to negotiate with the victim to get the full income."

AdvIntel says the latest findings bolster REvil's reputation in the underground "as a talkative and perpetually lying group that should not be trusted by the community or even by its own members."

REvil Partner Reopens Claim

After publishing its report, AdvIntel says that a well-known member of a leading Russian-language cybercrime forum cited its research to bolster a claim that he'd been scammed out of $21 million in profits by REvil, after administrators used the double-chat tactic and backdoor capability. Reading between the lines, the affiliate might have been able to file a claim for restitution, so to speak, via the cybercrime forum - if that's how REvil came to contract his services and if the forum provides dispute resolution. Or the affiliate could be seeking restitution and a public apology, if REvil wants to try and restore its reputation.

AdvIntel says a LockBit representative also weighed in, stating "that former REvil affiliates shared with them that they were scammed due to the double chat scheme" (see: 9 Takeaways: LockBit 2.0 Ransomware Rep 'Tells All').

Security experts say competition remains fierce to recruit the most skilled affiliates, since they help operators hit bigger targets and reap larger ransom payoffs.

But not all affiliates are highly skilled. For example, a U.S. government cybersecurity advisory issued this week says that unlike the traditional affiliate model, Conti appears to not share profits but rather pay at least some affiliates a fixed salary. But at least one affiliate reports having been shortchanged, leading him to leak the playbooks used by the group to train inexperienced, new affiliates.

Reports that REvil and Conti have been underpaying affiliates could drive them away, as well as complicate the group's efforts to recruit fresh affiliates via cybercrime forums, some of which already claim to have banned anything to do with ransomware.

A cybercrime forum user receives a warning for attempting to trade ransomware. (Source: Digital Shadows)

REvil Went Dark - Temporarily

REvil recently began resuming operations, after disappearing in July. The reason for the operation going quiet isn't known. Perhaps the administrators were lying low after the White House announced a crackdown. Maybe they were just on vacation. Or maybe they were taking time out to regroup, after law enforcement authorities obtained the ability to decrypt any file previously crypto-locked by REvil.

AdvIntel says the new samples of REvil recently seen in the wild no longer have the backdoor capability. But with REvil controlling the development and distribution of its crypto-locking malware, it could put a backdoor back in at any time.

This has always been an Achilles' heel for affiliates. Namely, they only get their cut after the operator processes the cryptocurrency payment, which is typically made via bitcoin or monero. After the operator keeps their cut, the rest gets routed to a wallet controlled by the affiliate.

Some operators, however, don't just provide a data leak site for naming and shaming victims and a payment portal to receive ransoms, but also handle negotiations. In such cases, what guarantees would an affiliate have that they really received their due, except for the reputation of the other criminals they're working with?

Operating in the Shadows

Perhaps that is yet one more reason why ransomware attackers prefer to operate in the shadows. When victims navigate to the payment portal, they often see a countdown timer, threatening to double the ransom demand if they don't pay quickly. After that, the threats typically escalate: A victim will be "named and shamed" via a group's dedicated data leak site, after which their data will be dumped as a lesson to future victims. Or victims can pay, for a promise of a decryptor, stolen data getting deleted and no one ever being the wiser (see: Ransomware Stopper: Mandatory Ransom Payment Disclosure).

For attackers, the fewer incidents that get publicly disclosed - or privately reported to law enforcementagencies - the better, and it's one reason operations such as Ragnar Locker and Grief have issued an outlandish threat to immediately leak a victim's data and to never give them a decryptor if they have the temerity to bring in law enforcement officials or a professional ransomware negotiation firm.

But hiding the facts of an attack can also help administrators scam their affiliates. Then again, this shouldn't be a surprise. Ransomware attackers continue to prove that they'll lie about anything, to anyone, in their pursuit of illicit profit.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.