Cybercriminals who use ransomware complain that the malware they use has a built-in backdoor that allows them to intercept the ransom. According to rumors, the REvil group, which provides a ransomware service, deceives its own customers.
REvil leases its software to other scammers in exchange for a share of the ransom that criminals receive from victims. Some software users have discovered a backdoor in the product that allows REvil to recover encrypted files without the involvement of an affiliate and, therefore, take the ransom for itself.
According to researchers at Flashpoint, on September 20, a user of one of the Russian-language darknet forums discovered a backdoor in the REvil code sample and published the discovery. Flashpoint analysts note that the backdoor was probably discovered several months ago, but on September 20, concrete evidence of REvil's tactics was released for the first time. The user notes that REvil can also allegedly intercept chats with victims in order to get the full amount of the ransom, without sharing the proceeds.
LockBitSupp, a representative of the LockBit ransomware program, said that many in the cybercriminal community share suspicions about REvil. One of the forum participants said that his plans to extort $7 million from the victim were thwarted and that he has suspicions about REvil. The user believes that one of the authors of the program intercepted the ransom using a backdoor and disappeared with the money. Another user said that this is the first time that the creators of ransomware steal profits from their partners. The user compared REvil's behavior to the fraud methods used by low-level carders.
Cybercriminals assume that despite the problems found, REvil will thrive regardless of whether their reputation among other attackers is severely damaged, and they believe that the underground community is unlikely to be able to cope with REvil's alleged behavior.
REvil leases its software to other scammers in exchange for a share of the ransom that criminals receive from victims. Some software users have discovered a backdoor in the product that allows REvil to recover encrypted files without the involvement of an affiliate and, therefore, take the ransom for itself.
According to researchers at Flashpoint, on September 20, a user of one of the Russian-language darknet forums discovered a backdoor in the REvil code sample and published the discovery. Flashpoint analysts note that the backdoor was probably discovered several months ago, but on September 20, concrete evidence of REvil's tactics was released for the first time. The user notes that REvil can also allegedly intercept chats with victims in order to get the full amount of the ransom, without sharing the proceeds.
LockBitSupp, a representative of the LockBit ransomware program, said that many in the cybercriminal community share suspicions about REvil. One of the forum participants said that his plans to extort $7 million from the victim were thwarted and that he has suspicions about REvil. The user believes that one of the authors of the program intercepted the ransom using a backdoor and disappeared with the money. Another user said that this is the first time that the creators of ransomware steal profits from their partners. The user compared REvil's behavior to the fraud methods used by low-level carders.
Cybercriminals assume that despite the problems found, REvil will thrive regardless of whether their reputation among other attackers is severely damaged, and they believe that the underground community is unlikely to be able to cope with REvil's alleged behavior.
