Researchers have found that the creators of REvil used a scheme that allowed them to decrypt any systems blocked by the ransomware, taking the entire ransom for themselves.
Their partners ended up with nothing. The publication Bleeping Computer says that such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by information security researchers and malware developers.
Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered the “receiver” of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.
Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumors on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumors began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).
People who worked with REvil took part in these convictions, for example, the group’s partners who provided hackers with access to other people’s networks, “penetration testing” services, VPN specialists, and so on.
According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one their partners use to negotiate with the victim. When negotiations reach a tipping point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the authors of REvil continue negotiations with the victims themselves, take the entire ransom for themselves and leave their partners with nothing.
Recently, these rumors have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.
The reverse engineer also claims that REvil’s partners weren’t the only ones who could decrypt the victim’s systems: the malware authors had a master key that they could use to recover any encrypted data.
Emsisoft expert Fabine Vosar has previously explained how the REvil cryptographic scheme works. For example, hackers use four sets of public and private keys in their malware, which are responsible for encryption and decryption tasks:
REvil is one of the few ransomware families that actually thought about their cryptographic scheme and how to account for various situations. In fact, during an interview, they specifically mentioned how proud they are of it. You'll see why.
— Fabian Wosar (@fwosar) July 3, 2021
- Operator / master pair, the public part of which is hardcoded in all REvil samples.
- A pair for campaigns, the public part of which is stored in the malware configuration file as a PK value.
- A system-specific pair that is generated during machine encryption, with the private part encrypted using both the public master key and the campaign key.
- A pair of keys for each encrypted file.
“The file’s private key and public system key are used as input to ECDH using Curve25519 to generate a Salsa20 key (called a shared secret) that is used to actually encrypt the contents of the file,” wrote the expert.
The system private key is required to unlock the machine because it is the only key required to decrypt individual files. You can restore it either using the main private key, available only to the authors of REvil, or using the campaign key that the group’s partners have. Vosar noted that the main private key is REvil’s insurance against fraudulent partners, that is, it allows malware authors to decrypt files of any victim.
To gain access to the REvil payment portal, the attacker needs the data block contained in the ransom note. This string of meaningless characters includes various data about the vehicle, campaign, malware version, and the system’s private key.
Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumors, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.
The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group returned to service , no longer has a master key that would allow decryption of any system blocked by REvil.
Catch up on more articles here
Follow us on Twitter here