A Backdoor Was Added by the REvil Ransomware Developers in an Attempt to Cheat Affiliates
It Looks Like the Operators Have Left Their Partners Out of the Deal and Stole the Entire Ransom.
The REvil ransomware operators may have been hijacking ransom negotiations, and cutting their affiliates of payments.
As explained by my colleague Elena, REvil is a highly evasive and upgraded RaaS operation.
REvil uses a special social engineering move, making the ones who spread it threaten to double the ransom if not paid within a certain number of days.
This is the aspect that makes REvil, also known as Sodinokibi ransomware dangerous for companies of all sizes.
As thoroughly explained by Vladimir in his article, Ransomware-as-a-Service works as an illicit ‘parent-affiliate(s)’ business infrastructure, and in this type of ecosystem, the operators are the ones that provide tools to affiliates with the end purpose of carrying out ransomware attacks.
The REvil operators are apparently using a cryptographic scheme allowing them to decrypt any systems locked by the ransomware group, in this way leaving their partners out of the deal.
This isn’t the first time this method has been mentioned; discussions began a while ago on underground forums, in messages from gang collaborators, and have lately been validated by security experts and malware developers.
Individuals who offered network access, penetration-testing services, VPN specialists, and potential affiliates were among those who participated in the REvil ransomware assaults.
REvil admins allegedly established a second chat, similar to the one used by their affiliate to negotiate a ransom with the victim, according to Boguslavskiy.
REvil would take over when discussions hit a stalemate by masquerading as the victim and withdrawing from the negotiations without paying the ransom.
These claims seem to be real as an underground malware reverse engineer provided evidence of REvil’s double-dipping practices.
According to BleepingComputer, the researcher Fabian Wosar previously provided a clear explanation regarding how the REvil’s cryptographic scheme worked, as the operator uses four sets of public-private keys responsible for the encryption and decryption tasks:
- An operator/master pair that has the public part hardcoded in all REvil samples
- A campaign pair, whose public part is stored in the configuration file of the malware as a PK value
- A system-specific pair – generated upon encrypting the machine, with the private part encrypted using both the public master and campaign keys
- A key pair generated for each encrypted file
The private file key and public system key are then used as inputs for ECDH using Curve25519 in order to generate the Salsa20 key (called a shared secret) that is being used to actually encrypt the file content.
Because it is the only key required to decrypt individual files, the system private key is required to unlock a machine. It can be recovered either using the master private key, which is only available to REvil operators, or the affiliate campaign key.
REvil’s insurance against rogue affiliates is the master private key, which allows them to decrypt any victim.