At the beginning of last July, it was made public a massive attack with REvil ransomware that reached record numbersd of a million affected systems and ransom requests worth $ 70 million.
Many companies and public institutions (hospitals, schools, etc.) affected by the cyberattack then faced a trade-off: pay huge amounts of money to get your data back, or format and redo from scratch.
None of the options were good, and surely those responsible for them they would have liked to have a third option: to be able to decrypt the hijacked files using a decryption key. A pity that they did not have that option then …
Better data in hand than hackers flying?
Or so they thought until now, when it was discovered that The FBI, after accessing the servers of the creators of REvil, had already obtained by then the aforementioned decryption key… But decided not to use it, after discussing it with other US agencies, so as not to put REvil on notice.
The idea was not to reveal to the group of cybercriminals who had accessed their servers, and thus take advantage to close all your operations. But then, on July 13 (two weeks having passed since the cyberattacks began), suddenly REvil fell back and the FBI lost track of them.
You might think that, at that time, the FBI no longer had any reason to keep the decryption key for the ransomware secret. But even so, for reasons that have not yet been well explained, did not share his existence with anyone until a week later, incidentally causing serious damage to the victims of cyberattacks.
Two days ago, the director of the FBI, Christopher Wray, justified himself in the US Congress claiming that it had been “a complex decision” but “not unilateral”, and implied that the extra week of delay in releasing the key was motivated by the need to “test and validate” the same, as if it had not been possible to do discreetly during the previous two weeks.
Maryland JustTech, a company with more than a hundred clients attacked, was one of those affected by the FBI decision. Joshua Justice, its owner, sums up his opinion like this:
“There were adults who contacted me crying, by person and by phone, asking if their business was going to be able to remain open. […] It would have been nice to get the decryption key three weeks before when we finally did, but by then we had already started a full restore of our customers’ systems. “
By the way, cybersecurity experts have reported that, After these months of silence, the members of REvil have once again shown signs of life on the Dark Web, and that your servers are operational again.
But, beware, there are reproaches for everyone here, and now it has come to light that, like many taxpayers they feel betrayed by the FBI’s decision, too many of REvil’s former ‘partners’ feel ripped off by them.
There is no honor among thieves
The ‘service’ offered by REvil is often labeled ‘Crime-as-a-Service’, a system whereby individuals and groups with less advanced technological capabilities are able to excomplete part of the effort required to carry out cyberattacks (in this case, develop the ransomware and host all the infrastructure necessary for its operation), sharing bailout income with your ‘CaaS’ providers.
Thus, REvil ransomware functioned as an ‘affiliate network’ in which these – those in charge of doing the dirty work of compromising and infecting the networks of the attacked organizations – receive 70% of the income from the ransoms.
However, malware experts they just spotted a backdoor in ransomware that allowed developers (theoretically, since it is not known if that option was used) scam affiliates and take their share of the loot without their knowledge: in their eyes, it would appear that the company they attacked had preferred not to pay and lose their data… while, in fact, they were negotiating the payment of the ransom directly with the REvil developers.