Researchers have found that the creators of REvil used a scheme that allowed them to decrypt any systems blocked by the ransomware, taking the entire ransom for themselves.
Their partners ended up with nothing. The publication Bleeping Computer says that such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by information security researchers and malware developers.
Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered the “receiver” of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.
Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumors on hacker forums that the creators of REvil often negotiate with victims
Read the article