REVil ransomware developers added backdoor to trick affiliates
Cybercriminals are slowly realizing that REvil ransomware operators may have hijacked ransom negotiations, to cut affiliate payments.
Using a cryptographic scheme that allowed them to decrypt all systems locked by the REvil ransomware, the operators left their partners out of the deal and stole the full ransom.
Conversations about the practice started some time ago on underground forums, in posts from gang collaborators, and were recently confirmed by security researchers and malware developers.
The REvil ransomware, also known as Sodinokibi, emerged in the first half of 2019 and has built a reputation as a successor to the GandCrab ransomware operation as a service (RaaS).
The RaaS cybercriminal business model involves a developer, who creates the ransomware malware and configures the infrastructure, and affiliates recruited to rape and encrypt the victims. The process is split between the two parties, with affiliates taking the largest share (typically 70-80%).
Promoted by veterans of underground forums, the REvil gang developed a very lucrative private operation that only accepted experienced network hackers.
REvil’s name falls apart
While Operation REvil started out as an “honest” cybercrime venture, it quickly grew to scamming affiliates out of the promised 70% share of a ransom from paying victims.
Elisei Boguslavskiy, head of research at Advanced Intel, told BleepingComputer that since at least 2020, various actors on underground forums have claimed that RaaS operators are resuming negotiations with victims in secret talks, unbeknownst to affiliates.
The rumor became more common after the sudden shutdown of DarkSide ransomware and the release of Avaddon by releasing the decryption keys for their victims.
The conversations involved people who played a role in the REvil ransomware attacks, such as partners providing network access, penetration testing services, VPN specialists, and potential affiliates.
Boguslavskiy says REvil admins opened a second chat, identical to the one used by their affiliate to negotiate a ransom with the victim.
When the talks hit a tipping point, REvil would take over by posing as the victim leaving the negotiations without paying the ransom, Boguslavskiy told BleepingComputer.
The gang would continue discussions with the victim and get the full ransom, with the affiliate not being more informed.
Recently, these claims gained momentum when an underground malware engineer provided evidence of REvil’s double-dipping practices. They speak of a “cryptobackdoor” in the REvil samples that the RaaS operators gave to the affiliates to deploy on the victim networks.
The author’s reveal comes after cybersecurity company Bitdefender released a universal REvil decryption tool that works for all victims encrypted until July 13, 2021.
Public key in the image above:
What the author of the above article says is that affiliates weren’t the only ones who could decipher the systems they locked down with the REvil ransomware sample they received.
REvil operators had a master key that they could use to restore encrypted files.
A researcher revealed the trick in July
Fabien Ousar, The preeminent “ransomware slayer” and CTO at Emsisoft, provided a clear explanation of how REvil’s cryptographic system works in early July.
GandCrab’s successor uses in its malware four sets of public-private keys responsible for encryption and decryption tasks:
- An operator / master pair that has the public part hard-coded in all REvil samples
- A pair of campaigns, the public part of which is stored in the malware configuration file as a PK value
- A system-specific pair – generated during machine encryption, with the private part encrypted using both primary and campaign public keys
- A key pair generated for each encrypted file
“The private file key and the public system key are then used as inputs for the ECDH using Curve25519 to generate the Salsa20 key (called a shared secret) which is used to actually encrypt the contents of the file.” Wosar explains.
The system’s private key is essential for unlocking a machine as it is the only one required to decrypt individual files. Recovery is possible either with the primary private key – available only for REvil operators, or with the campaign key available to affiliates.
Wosar notes that the primary private key is REvil’s insurance against rogue affiliates, allowing them to decipher any victim. This is also what Bitdefender used for their REvil decryption tool and probably what helped Kaseya victims recover files for free.
To access the REvil payment portal, the ransomware threat actor needs a data blob present in the ransom note. This seemingly absurd string of characters includes various data about the machine, the campaign, the version of the malware in use, and the system’s private key.
Keeping an ace up their sleeve that gives ransomware operators full control over decryption of any system locked down by their malware is a practice seen with other newer ransomware groups.
Boguslavskiy says the DarkSide ransomware gang would have run their operation in the same way.
After changing his name to BlackMatter, the actor was open about the practice, letting everyone know he reserved the right to resume negotiations at any time, without giving an explanation.
Reverse Engineer and CEO of Advanced Intelligence Vitali Kremez told BleepingComputer that the latest REvil samples, which emerged when the gang restarted operations, no longer have the master key that allowed any system to be decrypted. locked with REvil ransomware.