Skip to content ↓ | Skip to navigation ↓

REvil is one of the most notorious ransomware groups in the world.

Also known as Sodin and Sodinokibi, REvil has made a name for itself extorting large amounts of money from businesses, operating as a ransomware-as-a-service (RAAS) business model that sees it share its profits with affiliates who break into networks and negotiate with victims on the group’s behalf.

But now there are reports that a secret backdoor in the ransomware’s code allows the group to steal ransom proceeds from under the noses of its affiliates.

I know. Shocking, isn’t it? Who would have imagined that you couldn’t trust a cybercriminal gang to act ethically when dealing with other cybercriminals?

Researchers at Flashpoint say that they have uncovered evidence that all is not rosy between REvil and its affiliates.

Earlier this month a hacker called Signature is said to have posted details of a secret “cryptobackdoor” in REvil’s code on a Russian forum used by the criminal underground. According to the researchers, “the backdoor code enables REvil the capability of restoring encrypted files on its own — without the involvement of the affiliates it originally hired.”

Furthermore, it is claimed that the backdoor allows the REvil group to take over negotiations with a ransomware victim – cutting out the affiliate, and even restore encrypted files without the approval of its partner.

Indeed, Signature claims that REvil jumped into a negotiation (known as a “customer support” chat) via the backdoor, and posing as a victim abruptly ended an attempt to extort $7 million. Signature believes that one of REvil’s operators then took over the real negotiation and took the money for themselves.

Other affiliates of the REvil group are said to have similar concerns and suspicions.

Now correct me if I’m wrong, but that doesn’t sound like a good way to run a Ransomware-As-A-Service business, as it’s highly likely you are going to leave your affiliates disgruntled and unwilling to work with you in the future if they feel they are going to be left out of pocket.

The news comes amid rising tensions in the ransomware underworld, following a series of high profile attacks that have caused greater scrutiny than ever before from law enforcement agencies.

None of this, unfortunately, makes life any easier for businesses attempting to protect themselves against ransomware crooks. The criminals may be fighting amongst themselves, but that doesn’t mean that you can let your guard down about how you should best protect your company from ransomware attacks.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.