Revil hides a chat in the ransomware to double the affiliates

Read Time:1 Minute, 34 Second

The gang behind the ransomware has set up a secondary chat system to negotiate directly with victims and thus bypass affiliates.

Lesson on

The world of cybercrime is ruthless and the world of ransomware even more so. Indeed, the gang behind Revil (aka Sodinokibi) may have embezzled ransoms, excluding affiliates from payment. For this, the group used a secondary chat channel to chat directly with the victims and thus recover the ransom from the nose and the beard of the affiliates. As a reminder, Revil appeared in the first half of 2019 and operates in RaaS (ransomware as a service) mode. People create the ransomware and infrastructure, and then affiliates are recruited to carry out the attacks. The revenues are shared between the different intervening parties, knowing that the affiliates get the largest share (generally 70 to 80%).

Cheated by a secret chat

A well-run system, but which over time has seen the group defraud affiliates by not paying the promised part of the 70% of the ransom paid by the victims. Yelisey Boguslavskiy, head of research at Advanced Intel, interviewed by our colleagues from Bleepingcomputer, observes that since 2020 messages on underground forums claim that RaaS operators negotiate with victims in secret chats without the knowledge of affiliates.

According to the official, the administrators of Revil had opened a second chat, identical to the one used by their affiliate to negotiate directly with the victim. When the discussions reached a crunch, Revil took over from the affiliate by posing as the victim who dropped out of negotiations without paying the ransom. The gang then continued the discussion with the victim and recover the negotiated sum. This technique was confirmed with the discovery by a reverse engineering expert of a “crypto backdoor” in the analysis of Revil samples. Note that Bitdefender recently released a Universal Revil ransomware decryption tool for victims before July 13, 2021.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Windows 10: The Last Update Of 2004 Sows Discord In Previous post Windows 10: the last update of 2004 sows discord in Storage Space
Failure Of Emergency Numbers: Orange Is Carrying Out An Internal Next post Failure of emergency numbers: Orange is carrying out an internal investigation