REvil is one of the most notorious ransomware groups in the world.

Also known as Sodin and Sodinokibi, REvil has made a name for itself extorting large amounts of money from businesses, operating as a ransomware-as-a-service (RAAS) business model that sees it share its profits with affiliates who break into networks and negotiate with victims on the group’s behalf.

But now there are reports that a secret backdoor in the ransomware’s code allows the group to steal ransom proceeds from under the noses of its affiliates.

I know. Shocking, isn’t it? Who would have imagined that you couldn’t trust a cybercriminal gang to act ethically when dealing with other cybercriminals?

Researchers at Flashpoint say that they have uncovered evidence that all is not rosy between REvil and its affiliates.

Earlier this month a hacker called Signature is said to have posted details of a secret “cryptobackdoor” in REvil’s code on a Russian forum used by the criminal underground. According to the researchers, “the backdoor code enables REvil the capability of restoring encrypted files on its own — without the involvement of the affiliates it originally hired.”

Furthermore, it is claimed that the backdoor allows the REvil group to take over negotiations with a ransomware victim – cutting out the affiliate, and even restore encrypted files without the approval of its partner.

Indeed, Signature claims that REvil jumped into a negotiation (known as a “customer support” chat) via the backdoor, and posing as a victim abruptly ended an attempt to extort $7 million. Signature believes that one of REvil’s operators then took over the real negotiation and took the money for themselves.

Other affiliates of the REvil group are said to have similar concerns and suspicions.

Now correct me if I’m wrong, but that doesn’t sound like a good way (Read more...)