{
	"id": "2914afee-0fb1-4205-afbc-2c614327826f",
	"created_at": "2026-04-06T00:12:16.145653Z",
	"updated_at": "2026-04-10T03:21:28.160096Z",
	"deleted_at": null,
	"sha1_hash": "770d6e6cd86114cb1e6403e06ddd6914639f8003",
	"title": "REvil ransomware devs added a backdoor to cheat affiliates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1441509,
	"plain_text": "REvil ransomware devs added a backdoor to cheat affiliates\r\nBy Ionut Ilascu\r\nPublished: 2021-09-23 · Archived: 2026-04-05 20:03:28 UTC\r\nCybercriminals are slowly realizing that the REvil ransomware operators may have been hijacking ransom negotiations, to\r\ncut affiliates out of payments.\r\nBy using a cryptographic scheme that allowed them to decrypt any systems locked by REvil ransomware, the operators left\r\ntheir partners out of the deal and stole the entire ransom.\r\nConversations about this practice started a while ago on underground forums, in posts from collaborators of the gang, and\r\nhave been confirmed recently by security researchers and by malware developers.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nREvil ransomware, also known as Sodinokibi, emerged in the first half of 2019 and built a reputation as a successor of the\r\nGandCrab ransomware-as-a-service (RaaS) operation.\r\nThe RaaS cybercriminal business model involves a developer, who creates the ransomware malware and sets up the\r\ninfrastructure, and affiliates recruited to breach and encrypt victims. The proceedings are divided between the two parties\r\nwith affiliates taking the larger cut (typically 70-80%). \r\nPromoted by veterans of underground forums, the REvil gang developed a highly lucrative private operation that accepted\r\nonly experienced network hackers.\r\nREvil name goes down the drain\r\nIf the REvil operation started as an “honest” cybercriminal endeavor, it soon switched to scamming affiliates out of the\r\npromised 70% share of a ransom from paying victims.\r\nYelisey Boguslavskiy, head of research at Advanced Intel, told BleepingComputer that since at least 2020 various actors on\r\nunderground forums claimed that the RaaS operators were taking over negotiations with victims in secret chats,\r\nunbeknownst to affiliates.\r\nThe rumor became more frequent after the sudden shut down of DarkSide ransomware and Avaddon’s exit by releasing the\r\ndecryption keys for their victims.\r\nThe conversations involved individuals that played a role in REvil ransomware attacks, such as partners that provided\r\nnetwork access, penetration-testing services, VPN specialists, and potential affiliates.\r\nBoguslavskiy says that REvil admins reportedly opened a second chat, identical to the one used by their affiliate to negotiate\r\na ransom with the victim.\r\nWhen talks reached a critical point, REvil would take over by posing as the victim quitting the negotiations without paying\r\nthe ransom, Boguslavskiy explained to BleepingComputer.\r\nThe gang would continue the talks with the victim and obtain the full ransom with the affiliate being none the wiser.\r\nRecently, these claims got more substance as an underground malware reverse engineer provided evidence of REvil’s\r\ndouble-dipping practices. They talk of a “cryptobackdoor” in the REvil samples that RaaS operators gave affiliates to deploy\r\non victim networks.\r\nThe author’s revelation comes after cybersecurity company Bitdefender released a universal REvil decryption tool that\r\nworks for all victims encrypted up to July 13, 2021.\r\nPublic key in the image above:\r\nFF5EEDCAEDEE6250D488F0F04EFA4C957B557BDBDC0BBCA2BA1BB7A64D043A3D\r\nWhat the author of the above post is saying is that affiliates were not the only ones that could decrypt the systems they\r\nlocked with the REvil ransomware sample they received.\r\nREvil operators had a master key they could use to restore encrypted files.\r\nResearcher revealed the trick in July\r\nFabian Wosar, “ransomware slayer” par excellence and chief technology officer at Emsisoft, in early July provided a clear\r\nexplanation for how REvil’s cryptographic scheme worked.\r\nGandCrab’s successor uses in their malware four sets of public-private keys responsible for the encryption and decryption\r\ntasks:\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nPage 3 of 5\n\n1. An operator/master pair that has the public part hardcoded in all REvil samples\r\n2. A campaign pair, whose public part is stored in the configuration file of the malware as a PK value\r\n3. A system-specific pair - generated upon encrypting the machine, with the private part encrypted using both the public\r\nmaster and campaign keys\r\n4. A key pair generated for each encrypted file\r\n“The private file key and public system key are then used as inputs for ECDH using Curve25519 in order to generate the\r\nSalsa20 key (called a shared secret) that is being used to actually encrypt the file content,” Wosar explains.\r\nThe system private key is essential to unlocking a machine because it is the only one required to decrypt individual files.\r\nRecovering it is possible with either the master private key - available only to REvil operators, or the campaign key that\r\naffiliates have.\r\nWosar notes that the master private key is REvil’s insurance against rogue affiliates, allowing them to decrypt any victim.\r\nThis is also what Bitdefender used for their REvil decryption tool and likely what helped Kaseya victims recover files for\r\nfree.\r\nTo access the REvil payment portal, the ransomware threat actor requires a blob of data present in the ransom note. That\r\nstring of apparently nonsensical characters includes various data about the machine, campaign, version of the malware used,\r\nand the system private key.\r\nKeeping an ace up their sleeve that gives ransomware operators total control over decrypting any system locked by their\r\nmalware is a practice seen with other, newer ransomware groups.\r\nBoguslavskiy says that the DarkSide ransomware gang was rumored to run their operation in the same way.\r\nAfter rebranding as BlackMatter, the actor was open about this practice, letting everybody know that they reserved their\r\nright to take over the negotiations at any point, without explaining.\r\nReverse engineer and Advanced Intelligence CEO Vitali Kremez told BleepingComputer that the latest REvil samples,\r\nwhich emerged when the gang restarted operations, no longer have the master key that enabled the decryption of any system\r\nlocked with REvil ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/"
	],
	"report_names": [
		"revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434336,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/770d6e6cd86114cb1e6403e06ddd6914639f8003.pdf",
		"text": "https://archive.orkl.eu/770d6e6cd86114cb1e6403e06ddd6914639f8003.txt",
		"img": "https://archive.orkl.eu/770d6e6cd86114cb1e6403e06ddd6914639f8003.jpg"
	}
}