• Home
  • /Learn
  • /Stolen Ransoms: Ransomware scammers are getting scammed 
background image


Stolen Ransoms: Ransomware scammers are getting scammed 


It was in the dark reports of underground Russian-language forums that the first outcry was heard. Ransomware scammers were complaining about getting scammed themselves. Hackers claimed that the REvil ransomware program they leased from a group of other cybercriminals had a secret backdoor. A backdoor that not only made it possible for the original creators of the program to restore all encrypted files but also hijack negotiations and claim entire ransoms for themselves. 

It seems like the plot of an evil fairytale gone wrong with the villains falling victim to others of their type. 

These complaints got so loud that a user on the secret forum claimed to have lost ransoms of $7 million because the backdoor ended some ransom negotiations abruptly. 

How are Ransomware scammers being scammed out of their ransoms? 

The story begins with REvil, a ransomware-as-a-service group built by the core developers of GandCrab, one of the biggest ransomware gangs. These groups build malware and lease it out to other ransomware scammers for a portion of the ransom. This model has gotten immensely popular after 2019. REvil alone is responsible for 13.1% of all successful ransomware attacks this year. REvil also gained notoriety after perpetrating ransomware attacks on Acer, Kaseya and, Apple manufacturer, Quanta. 

REvil is immensely popular among cybercriminals. 

Unfortunately, a threat actor discovered a secret backdoor in the program on September 20 of this year. The backdoor had the potential to undermine the entire process of ransomware negotiations, exasperating other ransomware hackers. 

Naturally, the exposed backdoor received toxic comments in the forums. The forum also saw discussions about how there is nothing the small-time scammers can do against these groups. Cold stonewalling was the typical response expected in any arbitration. 

But it looks like, for the time being, REvil will continue to lead the ransomware charts despite these issues. The REvil program is by far the most lucrative ransomware-as-a-service program out there for novice cyber crooks. 

How to avoid ransomware attacks 

Ransomware attacks are rising at a rapid rate. The Cognyte Cyber Threat Intelligence Research Group’s 2020 Annual Cyber Intelligence Report stated that the first half of 2021 alone witnessed 1097 ransomware attacks compared to just 1112 attacks in 2020. Organizations like REvil, Conti and Avaddon alone are responsible for over 60% of these attacks. 

Most victims in these cases end up paying the ransom, even though this practice is strongly discouraged. The ransom in itself does not guarantee absolute safety in the future for the victims. The hackers might just disappear with the money without giving the decryption keys. Even if they do share the key, restoring operations to normalcy can take months. The best way to avoid this disruption is to prevent these attacks in the first place. 

  • Maintain data backups

Regularly backing up data is the single best practice that can prevent any disruptions from occurring. Backing up all data and storing it securely outside the network can help resume operations quickly. Using cloud services is also recommended at times because they retain the previously unencrypted versions of the files. 

  • Outline plans and policies

Documenting a set of policies that outline what actions to take in case of an attack can also help mitigate most damage. These policies should include the chain of communication and defined roles for all stakeholders. 

  • Review port settings

Ransomware attacks usually capitalize on Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) 445. Review when these ports need to be left open and only allow access to trusted hosts. 

  • Safeguard your endpoints 

Your endpoints are the most vulnerable parts of the system, especially when left at default configurations. It is essential to update to more secure configuration settings that specifically address the common endpoint risk factors. 

  • Patch all systems

Many attacks take advantage of known vulnerabilities in software. These vulnerabilities can be addressed by proper patch management. Patching includes updating systems regularly on a fixed date and maintaining accountability in teams. 

Ransomware attacks destabilize even the largest organizations. These attacks force them to spend millions on ransoms, operational disruptions and reputational damage. Implementing the latest and best cybersecurity protocols is the only way to ensure your organization remains safe from an attack.