The notorious group of ransomware-slinging cyber criminals that operate under the moniker REvil are not to be trusted, according to a ransomware-slinging cyber criminal and former REvil ‘partner’.
Risk intelligence company Flashpoint has published a blog post that includes comments that offer some insight into how the international gang responsible for the recent Kaseya and JBS attacks, implying they may be less than scrupulous when it comes to working with their ‘partners’.
These outsiders, who Flashpoint referred to as ‘affiliates’, provide access to networks and often handle the negotiation with victims in exchange for up to 70 percent of any extorted funds, the blog said.
This is known as ransomware-as-a-service as it, in some ways, parallels the operating model of much of the managed services industry.
However, it seems that some of these affiliates are not so happy with the way that REvil handles business, including taking over discussions with victims and cutting the partner out of the deal entirely.
One former affiliate, known as Signature, posted on a Russian threat actors forum called Exploit to complain about being cheated by REvil. He had previously gone into arbitration to try and claim back a share of the money that he cheated a company out of.
“One Exploit user said that this is the first time they are hearing of major ransomware groups stealing profits from their alleged partners. The user compared REvil’s behavior to scamming methods used by low level carders,” the blog said.
“Another Exploit user said they were tired of “lousy partner programs” used by ransomware collectives “you cannot trust” and further speculated that REvil would survive and thrive regardless of whether their reputation takes a real hit among fellow threat actors.”
There is no detail about what these partner programs included, or whether or not incentives included a REvil sponsored fishing trip for a dozen Russian hackers.
The blog added that a user complained that “‘the Devil himself will not be able to figure out’ arbitration cases against REvil since the matter has gotten too complicated – and that arbitration might be prohibited anyway because some forums have purportedly instituted a ransomware ban.
“Another threat actor echoed these sentiments that opening up arbitration cases against REvil would be useless, like ‘arbitrat[ing] against Stalin’.”
It seems that ‘honour among thieves’ might make a better idiom than an ideal.