Ames Computers Geeks Corner News No Honor Among Thieves NYC New York City North Bergen County

No Honor Among Thieves

The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.

Security analysts going through sample code from REvil have identified a backdoor that may have enabled the group to hijack chats with victims to cut the middle man out of their ransom payments. Usually, when an affiliate compromises a network, REvil hands the affiliate malware to infect that network. If a victim pays the ransom, the affiliate usually gets 70 percent for doing all the dirty work of network compromise, data stealing and encryption. REvil gets the remaining 30 percent in exchange for providing the ransomware. REvil may have used the backdoor to steal the whole ransom instead of just taking in 30 percent.

In recently samples, AdvIntel researchers have identified the backdoor that could have enabled REvil to decrypt workstations and files. By using this backdoor, REvil can hijack victim cases during active negotiations. AdvIntel researchers were alreadyaware that REvil has been using double-chats where two identical chats are open with the victim, one by the affiliate and another by REvil. Researchers don't have direct evidence that REvil used the backdoor to shut down the affiliate chat and hijack it by imitating a victim who chooses not to pay and to then continue to negotiate with the victim to get the ransom. The only way to get direct evidence is to be a insider in the REvil group since they are the ones creating the double chats.

Besides the double-chat, the backdoor may serve the same purpose of stealing the ransom from their affiliates since it enables secret decryption of files when negotiations are complete. An interesting thing that researchers found was that the backdoor has been erased since REvil's server when down and came back up. The new operator may want start out with a clean slate since they were known be be braggers and liars in the underground. The new code may have been rewritten to prevent the use of the backdoor against new victims by REvil's former members who have backdoor access. Most likely, it was probably done to prevent decryption since Bitdefender was able to obtain the backdoor key.

Having a backdoor allows ransomware operators complete control over decrypting any system locked by their malware. This practice is becomming more prominent, especially with newer ransomware groups. The DarkSide ransomware gang is also rumored to to have it. BlackMatter openly admits this and lets everybody know that they reserved their right to take over the negotiations at any point without explaining. There seems to be no honor among theives.