Drama in the hacker underground: The notorious ransomware gang REvil, which among other things are responsible for the attack on the US company Kaseya, is accused by their partners of having cheated on them. According to discussions in various Russian-language forums, the gang did not receive the 30 percent commission for ransom payments made by the victims. REvil built a backdoor into their infrastructure, which allowed the blackmail group to break off ransom negotiations between their partners and the victims of REvil malware (also known as Sodinokibi) and to continue negotiating themselves.
Security researchers describe the business model of hacker groups like REvil and Darkside as ransomware-as-a-service. The hacker groups rent the malware they have developed and the associated decryption and payment infrastructure to other criminals, so-called affiliates or partners. In the case of REvil, the backers receive 30 percent of the partners’ revenues. In the past, however, it has happened again and again – for example in the case of the darkside gang – that such a gang seizes payments or cheats its partners in other ways. As an English proverb says: There is no honor amongst thieves.
The hacking court is in session
Like the news website operated by the antivirus manufacturer Kaspersky ThreatPost reported, are making serious allegations against the ransomware gang in the wake of the group’s comeback. To this end, they have convened a so-called “hacker court”: This is a kind of strictly regulated forum thread in an underground forum, in which members can accuse other forum members.
Whether these discussions really lead to fraudulent members of such underground communities being punished or allegedly repaying money owed is questionable. But the trial of the “hacker’s court” will undoubtedly damage the reputation of the REvil gang, which could affect their comeback. Criminals have no honor, but business reputation is everything, even in this environment.
Backdoor und Double Chat
As a result of the allegations, the REvil masterminds built a backdoor into their malware infrastructure, which allows them to withdraw control of the malware or its decryption functions from partners. In addition, they probably have the opportunity to intervene in the criminals’ chats with their victims (what is referred to in these circles as double chat).
The REvil masterminds intervened in ransom negotiations in an almost perfidious way, say their partners. While the partners were chatting with the victims via the REvil platform and negotiating the ransom for their encrypted files, REvil gang members smuggled into the chat and sent messages to both parties as man-in-the-middle messages, so to speak. While they suggested to their partners on behalf of the victims that they did not want to pay a ransom and that the negotiations were over, they took over the negotiations with the victims themselves and in the end collected the entire ransom – instead of the 30 percent they were actually entitled to.
Since the partners of such ransomware gangs bear a large part of the risk because it is they who have to place the malicious code in the networks of the victims, they are understandably angry if they are deprived of their – in their opinion – hard-earned wages. Security researchers and the victims of the extortion gangs are more likely to be amused by the drama in the hacking underground. With a little luck, the reputation of the REvil gang is so badly damaged that sooner or later it disappears from the scene. Despite all the malicious glee about the mishap of the criminals, past experience teaches us that in this case a new gang will probably simply take the place of the fired crooks.