The REvil ransomware gang is notorious for their disruptive, damaging and indiscriminate ransomware attacks. The group has launched cyber attacks on critical infrastructure organizations, military contractors, IT firms and other prominent groups. REvil, also known as Sodinokibi, is known for its Ransomware-as-a-Service business model. Emerging evidence suggests that REvil operators are now stealing funds from those who work for the group.

A cyber criminal claims to have identified a secret “cryptobackdoor” in REvil’s ransomware code, which allegedly enables REvil  to peal ransomware proceeds away from affiliates.  Specifically, the backdoor provides REvil with the capability to independently restore encrypted files, without affiliate involvement.

Last week, an anonymous cyber criminal disclosed information about the alleged backdoor on a Russian-language underground forum board. The individual stated that REvil uses the backdoor to rob affiliates after cajoling them into executing the heaviest of lifts involved in ransomware compromise and infection. A representative of the LockBit ransomware gang has also observed that numerous REvil affiliates harbor suspicions about their ‘employer.’

Cyber security researchers are continuing to study the tumultuous dynamics of the cyber underground. Could unstable dynamics provide international authorities with new and unprecedented opportunities to disrupt operations?

Details…The REvil revelation

Another threat actor, known as Signature, has further corroborates stories about how REvil robs affiliates via a backdoor. This individual expressed great displeasure regarding REvil’s scamming-the-scammer approach. In theory, threat actors who work for REvil receive 70% of profits, while the REvil gang keeps 30%.

REvil appears to have been using double chats with ransomware victims—two identical chats that are open, but that allowed for REvil’s leadership to imitate the victim, giving the affiliate false information about how much the victim would or would not be willing to pay. A well-known member of a cyber crime syndicate stated that he had been scammed out of $21 million in profits after admins had leveraged the double chat capability.

REVil, what’s next…

Experts state that the ransomware backdoor may have existed since REvil started operations. However, it appears to have been removed when REvil returned from its two month hiatus in September. Why remove the backdoor now?

Broadly speaking, animosity between threat actors has increased since a high volume of malicious cyber campaigns have appeared on law-enforcement’s radar. If ransomware gangs continue to deceive and underpay affiliates, might affiliates turn over information to law enforcement?

Protecting your business from ransomware

Consider an anti-ransomware protection solution that can stop the most sophisticated of ransomware attacks and that can help safely recover encrypted data, which ensures business continuity and productivity. Anti-ransomware products are crucial when it comes to avoiding security breaches and data compromise.

Reducing your attack surface and following best practices will also decrease the likelihood of a successful ransomware attack. Against the backdrop of cyber security awareness month, organizations are encouraged to provide education and training for employees about ransomware. For innovative cyber security awareness month ideas, click here. For further insights into the REvil ransomware gang, click here. Lastly, to receive cyber security insights, analysis and resources in your inbox each week, sign up for our newsletter.