cybercriminals who rent ransomware services to extort victims may be being stolen by the very groups that provide the tools cybercriminals in the Ransomware-as-a-Service (RaaS) model.
According to BleepingComputer, conversations on cybercriminal forums on the dark web indicate that operators of the REvil ransomware, one of the most prominent RaaS providers (with victims like JBS, Acer, TJ-RS, Light, Grupo Fleury, Gigaset, among others) developed the malware with a backdoor that allows you to negotiate and receive payment directly from the victim, without paying the contractor’s commission.
Typically, a RaaS operation develops and delivers (leases) ransomware-like malware to other cybercriminals interested in attacking and infecting victims. The ransomware encrypts the victim’s data and asks for a value for rescue their. Typically, the value of this ransom is split between the developers and the criminal who infected the victim.
Nonetheless, the REvil group, as analyzed by researchers at Advanced Intel, you may be deceiving your “customers” and not allowing them to receive the ransom share, which is typically somewhere between 70-80% of the ransom value.
Advanced Intel’s head of research, Yelisey Boguslavskiy, revealed that in 2020, several cybercriminals who hired ransomware services claimed that vendors were taking over negotiations with victims in secret chats, without the consent of the affiliates (customers) and getting all the payment.
According to Boguslavskiy, REvil’s administrators allegedly opened a second chat, identical to the one used by affiliates to negotiate a ransom with the victim. This direct victim communication backdoor was called “cryptobackdoor” and was only confirmed after Advanced Intel’s research team analyzed the ransomware samples developed by REvil.
“The specialists analyzed the recently published REvil samples and have identified a backdoor that allows you to decrypt workstations and files. By using the backdoor, REvil can hijack the ransom payment during active trading with affiliates and obtain full payment. The backdoor also allows you to secretly decrypt files“, said the researcher in a publication on LinkedIn.
Sources: BleepingComputer; Yelisey Boguslavskiy, TheHack.