REvil ransomware group ripping off own co-conspirators, researchers claim

ByCraig Haley

The old saying goes that there is no honour between thieves, and that particular adage is proving itself true as the developers of the “for-hire” REvil ransomware have been reportedly scamming their own affiliates out of money.

So what’s going on?

Our regular readers will be familiar with the concept of “for-hire” ransomware, commonly referred to as RaaS (Ransomware-as-a-Service). It is when a group of cybercriminals develop ransomware – which is malware that encrypts files when it infects a victim’s device and the crooks can then demand a ransom from the victim to get their files back – and then rent it out to other groups of cybercriminals, known as “affiliates”.


Sponsored Content. Continued below...




The affiliates are responsible for finding a victim and infecting their networks and devices and then negotiating a ransom. If the victim pays the ransom, it is split between the ransomware developers (REvil in this case) and the affiliates who launched the attack.

But there is a level of trust that the affiliates must have in the ransomware developers. It is, after all, the ransomware developers who can theoretically program their malware to do anything they please, including fleecing the affiliates by allowing the ransomware developers to hijack ransom talks with the victim and keep all the money for themselves.

And that is apparently what the REvil ransomware group have been doing. Reports suggest that after the affiliates target and infect a victim – usually at their own expense – the REvil group have been hijacking the subsequent ransom “negotiation” talks with the victim once those talks reach a crucial stage.


Sponsored Content. Continued below...




At that point, REvil trick their own affiliates by pretending to be the victim and saying they will not pay the ransom and shutting down the conversation. In the meantime, REvil take over the conversation with the real victim and offer instructions on how the victim can pay – with all the money going into cryptocurrency wallets of REvil, leaving their affiliates out of the loop and clueless as to what has just occurred.

It is, of course, always difficult to determine exactly how things play out in the shadows of the Internet. It’s not likely that the REvil group or their affiliates will be conducting press conferences on what has been happening.

But if this is happening – and a number of security researchers claim that it is – it could be a sign that the REvil group are planning to move away from the RaaS business model into something else and taking as much cash as possible on the way out. After all, ripping off their affiliates is hardly a sustainable business model.