The REvil ransomware operators may have been hijacking ransom negotiations, and cutting their affiliates of payments.
As explained by my colleague Elena, REvil is a highly evasive and upgraded RaaS operation.
REvil uses a special social engineering move, making the ones who spread it threaten to double the ransom if not paid within a certain number of days.
This is the aspect that makes REvil, also known as Sodinokibi ransomware dangerous for companies of all sizes.
As thoroughly explained by Vladimir in his article, Ransomware-as-a-Service works as an illicit ‘parent-affiliate(s)’ business infrastructure, and in this type of ecosystem, the operators are the ones that provide tools to affiliates with the end purpose of carrying out ransomware attacks.
The REvil operators are apparently using a cryptographic scheme allowing them to decrypt any systems locked by the ransomware group, in this way leaving their partners out of the deal.
This isn’t the first time this method has been mentioned; discussions began a while ago on underground forums, in messages from gang collaborators, and have lately been validated by security experts and malware developers.
Individuals who offered network access, penetration-testing services, VPN specialists, and potential affiliates were among those who participated in the REvil ransomware assaults.
REvil admins allegedly established a second chat, similar to the one used by their affiliate to negotiate a ransom with the victim, according to Boguslavskiy.
Support the originator by clicking the read the rest link below.