“Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves,” reports ZDNet:
REvil is one of the most notorious and most common forms of ransomware around and has been responsible for several major incidents. The group behind REvil lease their ransomware out to other crooks in exchange for a cut of the profits these affiliates make by extorting Bitcoin payments in exchange for the ransomware decryption keys that the victims need. But it seems that cut isn’t enough for those behind REvil: it was recently disclosed that there’s a secret backdoor coded into their product, which allows REvil to restore the encrypted files without the involvement of the affiliate. This could allow REvil to takeover negotiations with victims, hijack the so-called “customer support” chats — and steal the ransom payments for themselves.
Analysis of underground forums by cybersecurity researchers at Flashpoint suggests that the disclosure of the REvil backdoor hasn’t gone down well with affiliates. One forum user claimed to have had suspicions of REvil’s tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money.
Read more of this story at Slashdot.