Several ransomware gangs have recently become victims of cyber criminals themselves. The ransomware groups are not always the people who make the ransomware themselves, but rent it from other criminals or groups. To our great surprise, it turns out that the malware makers cannot be trusted either. They make off with the hard-earned ransom that their clients have taken.
Ransomware as a Service
It is well known that the cybercriminals who create malware and ransomware rent their software as a package to less technical criminals, so-called Ransomware-as-a-Service. For example, ZDNet reports that the shadowy group behind the infamous REvil ransomware, used in the prominent attacks on Kaseya and Acer, also rents out their software to other parties. As payment, the criminals demand part of the ransom.
To the dismay of the criminal clientele, REvil discovered another called threat actor a secret backdoor into the REvil software. This allowed the creators to remotely decrypt the files and take over the chat, without the tenant of the software having anything to say about this.
Normally, decryption can only be done with a so-called decryption key, which is in the hands of the tenants. In other words, thanks to this backdoor, the REvil group can also approach the affected party and negotiate the ransom from under their own customers’ noses.
Whistle to your ransom
Cybersecurity firm Flashpoint reports that the findings are clearly causing unrest on shady Russian hacking forums. For example, a user claims that a $7 million ransom negotiation has suddenly come to a halt. Other users complain about the “terrible affiliate program” and the fact that they can’t really do anything against the group: “Like trying to sue Stalin,” writes a frustrated cybercriminal.
Despite the fact that this does not benefit the reputation of ransomware makers, Flashpoint also indicates that the REvil ransomware with a share of 13% still remains one of the most used RaaS packages.
Catch up on more articles here
Follow us on Twitter here