Ransomware gangs complain that other crooks are stealing their ransoms
Cybercriminals using ransomware as a service have been spotted complaining that the group they hire the malware to could use a hidden backdoor to retrieve ransom payments for themselves.
REvil is one of the most notorious and common forms of ransomware and has been responsible for several major incidents. The group behind REvil is renting out its ransomware to other crooks in exchange for reduced profits made by these affiliates by extorting Bitcoin payments in exchange for the ransomware decryption keys that victims need.
But it seems that the cut is not enough for those behind REvil: it was recently disclosed that there is a secret backdoor coded into their product, which allows REvil to restore encrypted files without Affiliate intervention.
SEE: A winning strategy for cybersecurity (ZDNet special report)
This could allow REvil to resume negotiations with victims, hijack so-called “customer support” discussions – and steal ransom payments for themselves.
Analysis of underground forums by cybersecurity researchers at Flashpoint suggests that the disclosure of the REvil backdoor was not well received by affiliates.
One forum user claimed to have had suspicions about REvil’s tactics and said his own plan to extort $ 7 million from a victim abruptly ended. They believe that one of the REvil authors resumed negotiations using the backdoor and fled with the money.
Another Russian-speaking forum user complained of being tired of the “lousy partner programs” used by ransomware groups “that you cannot trust”, but also suggested that REvil’s status as one of the Most lucrative ransomware-as-a-service programs mean aspiring ransomware crooks will always flock to become affiliates. This is especially the case now that the group is back after appearing to take a break in early summer.
For the crooks who think they’ve been scammed, there’s little they can do (and few would have sympathy for them). A forum user suggested that any attempt to deal with this situation would be as pointless as trying to arbitrate “against Stalin”.
Ransomware remains one of the biggest cybersecurity issues facing the world today. For victims of ransomware attacks, it doesn’t matter who is on the other end of the keyboard demanding payment for the decryption key – many will simply choose to pay the ransom, seeing it as the best way to restore the network.
But even if the victims pay the ransom – which is not recommended as it encourages more ransomware attacks – restoring the network can still be a slow process and it can take weeks or months for them to recover. services are not fully restored.
SEE: A cloud company has asked security researchers to review its systems. This is what they found
Whether it’s REvil or any other ransomware gang, the best way to avoid the disruption of a ransomware attack is to prevent the attacks in the first place.
Some of the main ways that organizations can help stop ransomware attacks is by making sure that operating systems and software on the network are patched with the latest security updates, so that cybercriminals cannot easily exploit known vulnerabilities to take hold initially.
Multi-factor authentication should also be applied to all users to provide a barrier to attackers who can use stolen usernames and passwords to roam over a compromised network.