REvil Cheated Fellow Criminals

Ransomware gang REvil is said to have loopholes in its own software, which made it possible to take over negotiations with victims.


Cybercriminals cannot be trusted. Not big news, perhaps, but shocking for some of the gangs who partnered with the developers of REvil ransomware. The ransomware gang has put loopholes in its own software to take over ransom negotiations at will and take the money itself.

A feature in the software would allow them to decrypt any system locked by REvil ransomware themselves. This should be apparent from posts put on forums by people who work with the gang. Security researchers also confirm the rumours, writes tech site BleepingComputer.

REvil is the ransomware that was used in the Kaseya attack that affected more than a thousand companies. The software was also behind attacks on, among others, a weapons manufacturer and a large meat processing company. The business model of many ransomware is attractive here, which is increasingly leaning towards more classic vendor services.

For example, developers will market their software as ‘Ransomware-as-a-Service’. They build the malware and provide the infrastructure, while specialized gangs break-in and extortion. The second party usually gets a larger share of the loot, about 70 to 80 percent, according to BleepingComputer.

According to Yelisey Boguslavskiy, a researcher at security company Advanced Intel, several criminals complain that the actual operators of the RaaS have already taken over the negotiations with victims several times, without the fellow criminals – the buyers of the malware, say – noticing this. were informed. REvil would also initiate a second conversation with the victim to negotiate a ransom.

REvil pretended to be the victim to the fellow criminals, who decided not to respond to the ransom demand. For example, the customers of the RaaS did not always know that they were being cheated.

The rumours are backed by researchers who analyzed the ransomware and found a loophole. That gives REvil itself a master key or master key, a way to decrypt victims’ files, separate from the recipient of the RaaS. It would also have been that “runner” that is the basis of some universal decryptors that have been released since then, including BitDefender’s.

Leave comment