{
	"id": "c6169e3b-ff43-4795-a76b-96345b16de8f",
	"created_at": "2026-04-06T00:16:48.868681Z",
	"updated_at": "2026-04-10T03:21:34.386498Z",
	"deleted_at": null,
	"sha1_hash": "359b1663c133fb67ec73d3df01a9d6d3ce6c1056",
	"title": "REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241690,
	"plain_text": "REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil\r\nAffiliates, Sparking a Fallout\r\nBy Flashpoint Intel Team\r\nPublished: 2021-09-28 · Archived: 2026-04-05 17:43:34 UTC\r\nHow REvil allegedly cuts out affiliates according to… its former affiliates\r\nREvil, a sophisticated Russian-speaking ransomware group, frequently works with affiliates who provide them\r\nwith access to networks—and negotiate with victims on REvil’s behalf—for a cut of the ransom. REvil affiliates\r\ncan collect up to 70 percent of the ransom payment while REvil operators collect the rest. This is how REvil has\r\nhistorically operated its ransomware-as-a-service model.\r\nREvil’s tactics have recently come under renewed scrutiny. Threat actors operating on XSS and Exploit are\r\ncurrently reacting to evidence that REvil included a secret backdoor in its ransomware code—allegedly enabling\r\nthe ransomware group to steal illicit ransom proceeds from its affiliates. \r\nOn September 20, a threat actor allegedly unearthed a “cryptobackdoor” in REvil’s sample code and posted the\r\nfinding on Exploit, an illicit high-tier Russian-language forum. The backdoor code enables REvil the capability of\r\nrestoring encrypted files on its own—without the involvement of the affiliates it originally hired.\r\nFlashpoint analysts note that the backdoor was likely exposed months ago. However, the September 20 leak\r\nrepresents what appears to be the first time concrete evidence of REvil’s tactics have been made public. \r\nREvil can also allegedly hijack chats with victims and cut off discussions with its affiliates in order to collect full\r\nshares of the ransom without sharing the proceeds. \r\nThe subsequent fallout within the threat actor community offers the very organizations and individuals they target\r\na window into the types of important chatter that can arise in the cybercriminal underground; insights into\r\nevolving relationships and behavioral codes among threat actors; and lens into whether arbitration is a realistic\r\nand viable possibility when dealing with major ransomware groups. \r\nMaking sense of the chatter\r\nThe threat actor Signature—who had previously requested US $7 million in an arbitration dispute on Exploit—re-hashed their argument after the REvil backdoor was revealed. \r\nAs a result, Signature started a new Exploit thread, saying that they knew all along about REvil’s scamming\r\ntactics and claiming the revelations lend credence to Signature’s arbitration claim. With the revelation of the\r\nparallel chat and the code backdoor, it is possible that an REvil operator had logged into the Signature chat posing\r\nas the victim company and abruptly ended the negotiations to collect all the ransom on their parallel chat, just as\r\nSignature alleged in May.\r\nhttps://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/\r\nPage 1 of 3\n\nExploit post outlining REvil’s “cryptobackdoor,” taken from the Flashpoint platform. (Image:\r\nFlashpoint)\r\nhttps://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/\r\nPage 2 of 3\n\nLockBitSupp, the LockBit ransomware representative on Exploit, chimed in to say that many REvil affiliates\r\nshare suspicion towards REvil.\r\nSome illicit community members reacted with derision to the new evidence presented against REvil, pointing to a\r\ngreater internal fissure growing between groups of affiliated threat actors.\r\nOne Exploit user said that this is the first time the are hearing of major ransomware groups stealing profits from\r\ntheir alleged partners. The user compared REvil’s behavior to scamming methods used by low level carders. \r\nAnother Exploit user said they were tired of “lousy partner programs” used by ransomware collectives “you\r\ncannot trust” and further speculated that REvil would survive and thrive regardless of whether their reputation\r\ntakes a real hit among fellow threat actors.\r\nCybersecurity analysts at Flashpoint note that animosity towards ransomware-involved threat actors has been\r\nongoing since high-profile ransomware attacks caused increased law enforcement scrutiny toward cybercriminal\r\ncommunities. \r\nArbitration\r\nOther users have also expressed pessimism regarding the underground community’s ability to handle REvil’s\r\nalleged behavior. One threat actor on XSS said that “the Devil himself will not be able to figure out” arbitration\r\ncases against REvil since the matter has gotten too complicated—and that arbitration might be prohibited anyway\r\nbecause some forums have purportedly instituted a ransomware ban. \r\nAnother threat actor echoed these sentiments that opening up arbitration cases against REvil would be useless, like\r\n“arbitrat[ing] against Stalin.”\r\nReduce ransomware risk and see Flashpoint intelligence in action \r\nWhen organizations, such as financial institutions and law enforcement agencies, gain insight into the operational\r\ndynamics of malicious cybercriminal communities, they can better understand threat actor TTPs; access\r\npotentially vital observations in real-time; leverage that information to thwart a ransomware attack. \r\nSign up for your risk-free 90-day trial and see how Flashpoint can provide you with the actionable threat\r\nintelligence you and your entire team need to identify and respond to threats targeting your organization. When\r\nequipped with Flashpoint Intelligence, your team has immediate access to collections across illicit online\r\ncommunities ranging from private forums and illicit marketplaces to encrypted chat services channels to gain\r\ninsight into threat-actor activity on a global scale.\r\nSource: https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/\r\nhttps://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/"
	],
	"report_names": [
		"revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout"
	],
	"threat_actors": [],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/359b1663c133fb67ec73d3df01a9d6d3ce6c1056.pdf",
		"text": "https://archive.orkl.eu/359b1663c133fb67ec73d3df01a9d6d3ce6c1056.txt",
		"img": "https://archive.orkl.eu/359b1663c133fb67ec73d3df01a9d6d3ce6c1056.jpg"
	}
}