Malware Operators Are Now Allegedly Stealing Ransomware Bounties From Their Own Affiliates

ransomware infighting topimage
A lot of folks buying (legitimate) software are disgruntled about the rise of "software as a service," or SaaS. Proponents claim that the continued payments enable further development of useful applications, while opponents complain that they end up paying far more than they might under a more traditional "buy to own" model. Customers also voice concerns that automatically-updating software might break, or remove useful features.

If legitimate customers are frustrated by the SaaS model, one can only imagine how annoying it must be that malware providers have moved to the same sort of system. Last week's "Bloodystealer" trojan is primarily sold that way, and so is REvil, arguably the most notorious of the common ransomware packages. REvil was used in the major ransomware attack against Kaseya earlier this year.

According to threat intelligence vendor Flashpoint Intel, REvil—also the name of the black hat group that created the eponymous malware—coordinates with affiliates to perform ransomware attacks. The affiliates negotiate the ransom with the victim, and then collect a portion (up to 70 percent) for themselves while REvil itself gets the rest.

Lately, however, some of the group's affiliates are seeing red at the reveal of a hidden backdoor in REvil's malware that allows the group to restore the encrypted code without the involvement of its affiliates. That allows REvil to intercept negotiation between affiliates and victims and collect the entire ransom for itself. The firm quotes one user as saying he's tired of "lousy partner programs," yet going on to state that he expects REvil will continue to thrive even if their reputation is in the toilet.

Flashpoint says that the backdoor was probably found months ago, and indeed, quotes a threat actor called "Signature" who said as much after they were kicked out of a $7 million arbitration, likely because of REvil's intervention. The intel group also cites "LockBitSupp," saying that "many REvil affiliates share suspicion towards REvil"—although that user is a representative of another ransomware platform, so who knows how much weight their words carry.

Ransomware attacks are currently one of the largest cybersecurity threats facing businesses, but it is possible that they'll become less popular, at least temporarily. Flashpoint notes that cybercriminals at large are expressing resentment toward black hats that wield ransomware weapons because high-profile attacks (like the aforementioned Kaseya incident) have drawn intense scrutiny on their communities from global law enforcement. The group even says that some communities of malware operators have even banned ransomware altogether.