Karmic justice It seems that the old saying “there is honor among thieves” does not extend to cybercriminals. Gangs using ransomware-as-a-service schemes complain that the criminals they rent the malware from are stealing from them.
ZDNet writes that the group behind the notorious REvil ransomware, the same one used in the attacks on Kaseya, Acer, and Apple’s manufacturing partner Quanta, rents the malware to other criminals in exchange for a share of the victims’ ransom.
Surprisingly, it seems that this group of thieves cannot be trusted. On September 20, a threat actor discovered a secret backdoor in the REvil ransomware program that allows creators to restore encrypted files, all without the involvement of affiliates.
The back door means that the REvil group can also hijack the support chat negotiations with the victims and take over all the ransomware payments.
Risk intelligence firm Flash point writes that there has been an outcry over the discovery on underground Russian forums, with one user claiming that the backdoor resulted in negotiations for a $ 7 million ransomware payment that ended abruptly. Another complained of “lousy partner programs” used by ransomware collectives “that cannot be trusted.” Affiliates in this position have few resources. One said that trying to deal with the group was like “refereeing[ing] against Stalin “.
Flashpoint cybersecurity analysts note that the number of high-profile ransomware attacks has heightened attention to cybercriminal communities, leading to increased animosity towards threat actors involved in ransomware.
Even if REvil’s reputation among other criminals suffers, many believe that the group will continue to survive and prosper. According to Technology monitorREvil is the most common ransomware variant alongside Conti, found in 13.1% of incidents this year.
Image Credit: Africa study, Andrey_Popov