Cyber criminals using a ransomware-as-a-service program have complained that the group they rent the malware from could use a hidden back door to tap ransom payments for themselves.
REvil is one of the most notorious and widespread forms of ransomware and has been responsible for several major incidents. The group behind REvil leases their ransomware to other crooks in exchange for a share of the profits those partners make by extorting Bitcoin payments in exchange for the ransomware decryption keys the victims need.
But it seems that REvil’s backers haven’t had enough: it was recently revealed that their product has a secret back door built into their product that allows REvil to restore the encrypted files without the partner’s involvement.
This could allow REvil to take over the negotiations with the victims, hijack the so-called “customer support” chats – and steal the ransom payments for themselves.
Analysis of underground forums by Flashpoint’s cybersecurity researchers suggests that the REvil backdoor disclosure was not well received by partners.
A forum user said he knew REvil’s tactics and said his own plans to extort $ 7 million from a victim came to an abrupt end. They believe that one of the REvil writers took over the back door negotiations and ran away with the money.
Another user on the Russian-language forum complained about “lousy affiliate programs” used by “ransomware groups that cannot be trusted,” but also hinted that REvil’s status as one of the most lucrative ransomware-as-a- Service programs mean that would-be ransomware scammers will still flock to become partners. This is especially the case now as the group is back on track after appearing to have taken a break over the summer.
For the scammers who believe they have been betrayed, there is not much they can do (and few feel sorry for them). One forum user said that any attempt to deal with this situation is as useless as the attempt to arbitrate “against Stalin”.
Ransomware remains one of the most important cybersecurity problems facing the world today. Ultimately, it doesn’t matter to the victims of ransomware attacks who is on the other end of the keyboard requesting payment for the decryption key – many will simply choose to pay the ransom as they consider it the best way to restore the network watch.
But even if victims do pay the ransom – which is not recommended as it will encourage further ransomware attacks – rebuilding the network can be a slow process and it can take weeks or months to fully restore services.
Whether it’s REvil or another gang of ransomware, the best way to avoid being interrupted by a ransomware attack is to prevent attacks in the first place.
One of the most important measures organizations can take to prevent ransomware attacks is ensuring that operating systems and software across the network are patched with the latest security updates so that cybercriminals cannot easily exploit known vulnerabilities to get their first foot in the door to get.
In addition, all users should use multi-factor authentication to prevent attackers from breaking into a compromised network with stolen usernames and passwords.