Suspicions surrounding the return of the criminal group REvil, one of the biggest ransomware gangs of recent years, gained traction after partners of the organization claimed to have been outlawed. The accusations appear in the same forums where the gang sells its digital kidnapping services and claim that those responsible would be making parallel contacts with the victims, trying to keep the ransom and not pay fees to those responsible for the attacks.
Reports were raised by security researchers at Advanced Intel after the discovery of a gateway into REvil’s ransomware, which would allow system operators to unlock files from hit by attacks. This also allowed for direct contact with victims, outsmarting the original perpetrators of the scams as a way to avoid paying part of their earnings to partners.
The root of the issue is the system of ransomware as a service, in which REvil, like many other gangs, markets their digital hijacking tools rather than carrying out all the attacks on their own. This allows even less sophisticated criminals to get involved in cybercrime, while monetizing the malicious tools even further, with a share of the earnings of 30% for the clients and 14% for the system developers.
Among the preferred targets of this type of extortion would be clients who gave up on negotiations with the original attackers, as well as cases in which the ransom demand was too high for the character of the affected organization. It is not known, however, which corporations have been targeted in recent years — among the most well-known attacks by REvil are the system crashes of software provider Kaseya and Brazilian food processor JBS, both with rescues estimated at tens of millions of dollars.
According to Advanced Intel, the charges would date from 1024, before even the recent disappearance of the gang and the suspicions of a possible closure after the action of police forces. While the mysteries about this remain, the reports also dovetail with the July discovery of a universal file decryption tool, which REvil operators claimed they mistakenly posted with files sent to a ransom-paid victim.
Now, the idea is that this “master key” would be being used by criminals to deceive their affiliates — it would have been originally created to ensure the “honesty” of the business, releasing files or allowing bargains in case partners disappear or misuse of attack tools. On the other hand, recent malware samples used by REvil would not contain such openings, an action that could be the result of the simple evolution of the pest, the accidental release of code or a response to accusations from partners.
Source: Threat Post, Yelisey Boguslavskiy (LinkedIn)
