Implicated in a number of high-profile attacks over the past year, the REvil ransomware has become something of a cybersecurity household name. It’s one of the largest and frequently solicited ransomware-as-a-service operations, but it may be losing some business now that a disgruntled former client has leaked code demonstrating that the group can backdoor its own customers.
The code shows that the central REvil group is able to directly restore files that affiliates have encrypted, and can also hijack chat sessions to route payments from victims to themselves rather than the affiliate. The incident also highlights the world of underground arbitration disputes, in which threat actors hash out differences in public forums somewhat reminiscent of the scenes of Mafia families meeting in the Godfather movies.
REvil ransomware group makes waves in criminal underground after abrupt disappearance
REvil exploded onto the scene and began attacking high-profile targets in 2020, but was most famous for its role in the attacks on meat packing giant JBS and managed service provider Kaseya in 2021. The outfit is among a handful of big names in the ransomware-as-a-service space, striking affiliate arrangements with smaller and less sophisticated criminal groups. These groups gain access to target systems, generally via phishing, and can then deploy the pre-packaged REvil ransomware complete with use of its payment and communications infrastructure. REvil generally takes a cut of up to 30% of the eventual ransom payment from the affiliate.
The attack on Kaseya appeared to temporarily hobble REvil, as its servers and tools for affiliates disappeared from the dark web suddenly in mid-July just about two weeks after the incident started making the news. But the group returned in early September, resuming operations and tallying new victims as REvil ransomware was once again spotted in the wild.
The long disappearance apparently rankled some of its affiliates, however, as they were still negotiating payments with victims when the payment portal and other tools disappeared without warning in July. In the midst of back-and-forth between cyber criminals on an underground Russian language forum, security researchers with Flashpoint discovered that one of the affiliates had leaked REvil ransomware code demonstrating its backdoor capabilities that could effectively cut the affiliate out of the ransom process entirely should REvil so desire.
Part of the REvil ransomware-as-a-service package is a chat server that affiliates can use to hide their identities and locations while communicating with victims. The code snippets reveal that REvil has the ability to step in and create a “parallel chat” at any time, potentially redirecting the entirety of the victim’s payment to themselves rather than the affiliate. REvil also retains the ability to decrypt a victim’s files without the knowledge or approval of the affiliate, allowing them to complete a ransomware payment transaction while cutting the affiliate out entirely.
No honor among thieves
Flashpoint mentioned that its security researchers have seen evidence of such a backdoor in the REvil ransomware since July, but this is the first clear proof that it exists. The information came out during a dispute between REvil and an affiliate called “Signature” on the underground forum Exploit, which is used for arbitration disagreements between criminal groups. Signature posted the code snippets as evidence that REvil had inserted themselves in the negotiation process and shorted the affiliate some $7 million.
Follow-up research from security firm Advanced Intel indicates that REvil has, on at least several occasions, conducted these parallel chats in secret with the victims of their affiliates. If they secure an agreement to pay from the victim, REvil poses as the victim in the original chat and tells the affiliate they are refusing to pay. In some cases, affiliates have not even been at all aware that they were being duped.
Advanced Intel also found that the backdoor has been removed in the most recent samples of the REvil ransomware. A recently-released universal decryptor key, provided to the public by BitDefender last week, may have been the reason why the backdoor was removed.
While there may be no real honor among thieves, there are at least some attempts at community policing on these underground forums when groups such as REvil get out of hand. There has been chatter about banning the group from participation in a number of the most frequently-used dark web forums of this nature, which could be a fatal blow for a criminal team that has already gained the special attention of international law enforcement agencies. Other threat actors have similarly suffered due to self-policing amongst the higher levels of ransomware gangs; for example, the Conti ransomware group was dealt a serious blow earlier this month as an upset affiliate leaked the “training” materials that the group sends to its new clients.