Skip to content

REvil – No Honor Among Thieves

  • by

So, with Ransomware being in the news so much lately, it should come as no shock that there are some bad actors in one of the largest ransomware groups.  REvil ransomware emerged in the first half of 2019 and built a reputation as a successor of the GandCrab ransomware-as-a-service (RaaS) operation.

Promoted by veterans of underground forums, the REvil gang developed a highly lucrative private operation that accepted only experienced network hackers. This allows people with just a little bit of starting money to create a ransom infection, and they do not have to write a single line of code.

The RaaS cybercriminal business model involves a developer, who creates the ransomware malware and sets up the infrastructure, and affiliates recruited to breach and encrypt victims. The proceedings are divided between the two parties with affiliates taking the larger cut (typically 70-80%).

REvil ransomware operators may have been hijacking ransom negotiations, to cut affiliates out of payments. By using a backdoor that allowed them to decrypt any systems locked by the group’s own ransomware package, the operators left their partners out of the deal and stole the entire ransom.  Since at least 2020 various actors on underground forums claimed that the RaaS operators were taking over negotiations with victims in secret chats, unbeknownst to affiliates. 

The rumor became more frequent after the sudden shut down of DarkSide ransomware and Avaddon’s exit by releasing the decryption keys for their victims. When talks reached a critical point with their intended victim, REvil would take over by posing as the victim quitting the negotiations with the affiliate without paying the ransom, the gang would continue the talks with the victim and obtain the full ransom with the affiliate being none the wiser.

Recently, these claims got more substance as an underground malware reverse engineer provided evidence of REvil’s double-dipping practices. They talk of a “cryptobackdoor” in the REvil samples that RaaS operators gave affiliates to deploy on victim networks. This backdoor comes with a slight silver lining. The cybersecurity company Bitdefender released a universal REvil decryption tool that works for all victims encrypted up to July 13, 2021.

Originally posted on

Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, Cyber Security, IT Service, IT Security MAC repair, PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.