REvil, a private ransomware-as-a-service (RaaS) group from Russia, has reportedly come back to its operations intending to cheat on its affiliates. According to reports made by security researchers, the ransomware gang cheats on its partners so they will be able to rob all ransom payments from their victims.
The operators of the REvil RaaS were reported to have plotted their latest plan to cheat on their affiliates, wherein they utilize newly discovered backdoors and use a double chat setup. These plans allow the threat actors to hijack active ransomware negotiation chats of their affiliates with their victims, while the backdoor enables them to decrypt files and workstations.
In terms of double chats, the difficult part for the REvil group begins with how the victims are given identical chats – the first one is from the affiliate, while the other is from REvil themselves. In usual scenarios, the affiliates gain 70% of the victim’s ransom payment while the remaining 30% is deposited to the operators of REvil for their service in providing the ransomware payloads. But with the new plot of REvil in cheating against its affiliates, they will be able to hijack the payment share of the partner, which allows them to gain 100% of the victim’s ransom payment.
The cheated affiliates have reached out to the Hacker’s Court out of frustration, coming from the issue of REvil’s double chat scheme. They are reported to be pursuing to retrieve over $21.5 million worth of stolen funds that REvil has allegedly ripped off from them. In addition, the affiliates have taken their frustrations out on a criminal forum where they stated that the REvil management has established a plan involving the creation of backdoors and launching a double chat scheme to interfere with their ransom negotiations with victims.
Predicted fate of the REvil ransomware gang, according to analysts
After a hiatus, the REvil ransomware gang has come back to launch new plans. The group is reported to fix their relationships with the aggravated affiliates, according to researchers. But the affected affiliates seem to not be convinced and instead took it on underground forums where they initiated an arbitration case against the group. Many analysts speculate that REvil might be under the hot seat due to the rise of affiliates that may also reveal their objections against the ransomware gang.