The REvil ransomware-as-a-service gang, which has made headlines recently with several high-profile attacks, is accused of cutting its associates out of the extortion action, scamming them out of payments from victims with locked-up systems.
REvil, which is linked to Russia and believed to behind the attacks on managed service provider software vendor Kaseya and United States fuel distribution network Colonial Pipeline, is said to have secretely introduced a backdoor into its malware.
Security vendor Flashpoint said criminals on the Russian-language Exploit and XSS forums were outraged to find that the backdoor enabled REvil operators to restore encrypted files with no involvement from the associates.
Furthermore, REvil operators are said to be able to hijack chats in which ransomware victims negotiate extortion payments in return for decryptors, and collect the full proceeds without sharing any with affiliates who have paid to use the malware.
REvil's RaaS business model used to be that affliates got 70 percent of the ransoms, and the operators kept the rest.
While the backdoor was likely inserted several months ago, it only dawned upon the criminals about a week or so that they were being scammed out of ransoms by REvil operators.
Other RaaS operators are trying to capitalise on the affliates' anger and distrust against REvil.
Some affliates in the ransomware community are trying to arbitrate with REvil to get their hands on the hijacked payments.
However, others in the crime forums did not seem hopeful this would succeed, with one threat actor suggesting such a process would be useless, like "arbitrating against Stalin."