The gang behind the ransomware has set up a secondary chat system to negotiate directly with victims and thus bypass affiliates.
The world of cybercrime is ruthless and the world of ransomware even more so. Indeed, the gang behind Revil (aka Sodinokibi) may have embezzled ransoms, excluding affiliates from payment. For this, the group used a secondary chat channel to chat directly with the victims and thus recover the ransom from the nose and the beard of the affiliates. As a reminder, Revil appeared in the first half of 2019 and operates in RaaS (ransomware as a service) mode. People create the ransomware and infrastructure, and then affiliates are recruited to carry out the attacks. The revenues are shared between the different intervening parties, knowing that the affiliates get the largest share (generally 70 to 80%).
Cheated by a secret chat
A well-run system, but which over time has seen the group defraud affiliates by not paying the promised part of the 70% of the ransom paid by the victims. Yelisey Boguslavskiy, head of research at Advanced Intel, interviewed by our colleagues from Bleepingcomputer, observes that since 2020 messages on underground forums claim that RaaS operators negotiate with victims in secret chats without the knowledge of affiliates.
According to the official, the administrators of Revil had opened a second chat, identical to the one used by their affiliate to negotiate directly with the victim. When the discussions reached a crunch, Revil took over from the affiliate by posing as the victim who dropped out of negotiations without paying the ransom. The gang then continued the discussion with the victim and recover the negotiated sum. This technique was confirmed with the discovery by a reverse engineering expert of a “crypto backdoor” in the analysis of Revil samples. Note that Bitdefender recently released a Universal Revil ransomware decryption tool for victims before July 13, 2021.