REvil ransomware group ripping off own co-conspirators, researchers claim

ByCraig Haley

The old saying goes that there is no honour between thieves, and that particular adage is proving itself true as the developers of the “for-hire” REvil ransomware have been reportedly scamming their own affiliates out of money.

So what’s going on?

Our regular readers will be familiar with the concept of “for-hire” ransomware, commonly referred to as RaaS (Ransomware-as-a-Service). It is when a group of cybercriminals develop ransomware – which is malware that encrypts files when it infects a victim’s device and the crooks can then demand a ransom from the victim to get their files back – and then rent it out to other groups of cybercriminals, known as “affiliates”.


Sponsored Content. Continued below...




The affiliates are responsible for finding a victim and infecting their networks and devices and then negotiating a ransom. If the victim pays the ransom, it is split between the ransomware developers (REvil in this case) and the affiliates who launched the attack.

But there is a level of trust that the affiliates must have in the ransomware developers. It is, after all, the ransomware developers who can theoretically program their malware to do anything they please, including fleecing the affiliates by allowing the ransomware developers to hijack ransom talks with the victim and keep all the money for themselves.

And that is apparently what the REvil ransomware group have been doing. Reports suggest that after the affiliates target and infect a victim – usually at their own expense – the REvil group have been hijacking the subsequent ransom “negotiation” talks with the victim once those talks reach a crucial stage.


Sponsored Content. Continued below...




At that point, REvil trick their own affiliates by pretending to be the victim and saying they will not pay the ransom and shutting down the conversation. In the meantime, REvil take over the conversation with the real victim and offer instructions on how the victim can pay – with all the money going into cryptocurrency wallets of REvil, leaving their affiliates out of the loop and clueless as to what has just occurred.

It is, of course, always difficult to determine exactly how things play out in the shadows of the Internet. It’s not likely that the REvil group or their affiliates will be conducting press conferences on what has been happening.

But if this is happening – and a number of security researchers claim that it is – it could be a sign that the REvil group are planning to move away from the RaaS business model into something else and taking as much cash as possible on the way out. After all, ripping off their affiliates is hardly a sustainable business model.

Keep up-to-date with all our latest articles. Follow us on Facebook, Instagram and Twitter.

Continued below...


Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)

Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)