This article is more than 1 year old
REvil customers complain ransomware gang uses backdoors to filch ransoms
There is no honour among thieves
Security intelligence vendor Flashpoint claims to have found forum comments from customers of the REvil ransomware-as-a-service gang, and they’re not happy. The gang's malware may contain backdoors that REvil uses to restore encrypted files itself.
REvil's modus operandi is to rent its malware to other evildoers, in return for a hefty cut of any ransoms paid by victims.
Flashpoint writes that the "Exploit" forum has recently featured posts from a threat actor complaining about the backdoor, and the fact its presence meant that REvil could let its customers do all the hard work of arranging an infection, then subvert communications with victims and keep the entire ransom for itself.
Other chat in the forum, Flashpoint asserts, includes complaints about REvil's behaviour, and the futility of attempting to negotiate with the gang.
One thread seen by Flashpoint apparently features a ransomware business complaining about "lousy partner programs".
- Suex to be you: Feds sanction cryptocurrency exchange for handling payments from 8+ ransomware variants
- Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
- Kaseya obtains REvil decryptor, starts sharing it with afflicted customers
Flashpoint has shared one screen shot of chat on Exploit. The Register has translated it from the original Russian and it does appear to comprise chat about REvil's code.
But we'll have to take the firm's word for it on the content of other Russian crime forum posts, while noting that Brian Krebs reported in March 2021 that three such forums were breached.
On the other hand, as the old saying goes: there is no honour among thieves. The Register would not be the least bit surprised to learn that applies to ransomware gangs, too. ®