It seems the old proverb “there is honor among thieves” doesn’t extend to cybercriminals. Gangs using ransomware-as-a-service plans are complaining that the crooks they rent the malware from are robbing them.
ZDNet writes that the group behind the notorious REvil ransomware—the same one used in attacks on Kaseya, Acer, and Apple manufacturing partner Quanta—leases the malware out to other criminals in exchange for a cut of the victims’ ransom.
Surprisingly, it seems this group of thieves cannot be trusted. On September 20, a threat actor discovered a secret backdoor in the REvil ransomware program that allows the creators to restore encrypted files, all without the involvement of the affiliates.
The backdoor means the REvil group can also hijack support chat negotiations with victims and take the entire ransomware payments for themselves.
Risk Intelligence firm Flashpoint writes that there has been an outcry at the discovery on underground Russian-language forums, with one user claiming the backdoor resulted in negotiations for a $7 million ransomware payment abruptly ending. Another complained of “lousy partner programs” used by ransomware collectives “you cannot trust.” Affiliates who find themselves in this position have little recourse. One said trying to deal with the group was like “arbitrat[ing] against Stalin.”
Flashpoint’s cybersecurity analysts note that the number of high-profile ransomware attacks has intensified the spotlight on cybercriminal communities, leading to increased animosity towards ransomware-involved threat actors.
Even if REvil’s reputation among fellow criminals takes a hit, many believe the group will continue to survive and thrive. According to Tech Monitor, REvil is the most common ransomware variant alongside Conti, found in 13.1% of incidents from this year.