The notorious group of ransomware-throwing cybercriminals that operate under the name REvil are not to be trusted, according to a ransomware-throwing cybercriminal and former “partner” of REvil.
Risk intelligence firm Flashpoint released a blog post this includes comments that offer insight into how the international gang responsible for the recent attacks on Kaseya and JBS, implying that they may be less than scrupulous when it comes to working with their “partners”.
These outsiders, whom Flashpoint referred to as “affiliates,” provide access to networks and often handle negotiations with victims in exchange for up to 70% of extorted funds, according to the blog.
This is known as ransomware-as-a-service because, in some ways, it parallels the operating model of much of the managed services industry.
However, it seems that some of these affiliates are not so happy with the way REvil handles business, including taking over discussions with victims and excluding the partner from the deal altogether.
A former affiliate, known as Signature, posted on a Russian threat actor forum called Exploit to complain about being tricked by REvil. He had previously gone to arbitration to try to recover some of the money he had defrauded a company.
“An Exploit user said this was the first time he had heard of large ransomware groups stealing profits from their alleged partners. The user compared REvil’s behavior to scam methods used by low-level carders,” the blog post said.
“Another Exploit user said he was tired of ‘ugly partner programs’ used by ‘you can’t trust ransomware collectives’ and further speculated that REvil would survive and thrive, that his reputation will be seriously damaged by other threat actors.”
There are no details on what these partner programs included, or whether or not the incentives included a REvil-sponsored fishing trip for a dozen Russian hackers.
The blog added that a user complained that “”the Devil himself will not be able to figure out” arbitration cases against REvil since the case has become too complicated – and that arbitration could be banned anyway because some forums have supposedly instituted a ban on ransomware.
“Another threat actor echoed those sentiments that initiating arbitration proceedings against REvil would be pointless, as “arbitration[ing] against Stalin’.
It seems like “honor among thieves” might make a better idiom than an ideal.