Millions of deposits and “insiders” on cryptocurrency exchanges – CyberNews employees have lured these and other details about the activities and cashing ransoms by the ransomware operators during a conversation with a person associated with the Ragnar Locker and REvil groups.
Security researchers regularly visit hacker forums to gather information on cyber threats, and CyberNews employees are no exception. However, they had no idea how one of these visits would end.In June 2020, researchers collected data on a popular hacker forum and came across an unexpected advertisement – the sensational cyber ransomware group REvil announced a search for participants for its “affiliate program.”
Researchers immediately seized this opportunity, filed an application, pretending to be a cybercriminal from Russia, and soon they received an invitation for an interview in the qTox private chat. There they met cybercriminals who had been conducting ransomware operations for over a decade.
Let me remind you that we talked about the fact that REvil ransomware operators launched auction site to sell stolen data.
In advertising on the forum, the group promised the participants of the “partner program” about 70-80% of the amount paid by the victims of the ransom, being content with a modest 20%. This too generous offer could raise suspicions among potential partners, so in order to prove its authenticity, REvil made a deposit of $1 million (in bitcoins) to its forum wallet.
Questions about relevant skills and experience were only part of the interview. Proficiency in Russian was a mandatory requirement for a potential partner.
As it turned out during the interview, the group consists of four members, and they are missing the fifth. The fifth participant must be able to work with the Cobalt Strike tool used by ransomware after hacking the attacked system.
The largest ransom that the group managed to get is $18 million. Of this, the ransomware developer received 30%, and the rest was divided among the members of the group ($2.5 million “apiece”).
Cybercriminals have connections among cryptocurrency exchange employees that help them to stay incognito, exchange ransom bitcoins for dollars, and even launder money.
According to the person who conducted the interview, the partner must open an account in the specified cryptocurrency exchange service and deposit the ransom received from the victims there. He also recommended to convert into dollars not the entire amount at once, but in “small” parts of no more than $1 million, otherwise a sharp release of bitcoins into the market could affect their rate and cause resentment among the community.
When the cryptocurrency has already been converted into dollars, the “friend” on the exchange (for the commission of 4%) cashes out the funds and transfers them to the agreed address. Interestingly, picking up all the cash at once is also not recommended. It is best to receive money in small packages of $1 million, then their weight will not exceed 10 kg and will not pose a danger and inconvenience the courier.
Let me also remind you that REvil Developers Made $1 Million Deposit on Hacker forum.
