Backdoor inside REvil Ransomware

Within a known criminal underground forum, a user published evidence of a backdoor embedded in the REvil Ransomware. The backdoor would permit ransomware developers to generate decryption keys independently of the affiliate who physically executed the attack.

The REvil RaaS

REvil is a ransomware belonging to the RaaS (Ransomware-as-a-Service) family, whose deployment is provided by operators to criminal groups under an affiliate system. The affiliate model offers criminal groups the convenience of avoiding malware development—a resource-intensive activity prone to technical complications—while providing ready-made software and a platform aligned with attacker requirements. Developers receive compensation derived from ransom payments extracted from victims.

The backdoor

The identified code appears to permit REvil developers to decrypt victim files through a Master Key in their possession, from which all other encryption keys would be derived. Our Cyber Threat Intelligence tracking indicates this mechanism represents a critical architectural flaw in the RaaS trust model.

Exploitation of this backdoor would enable the ransomware development team to circumvent affiliates, thereby evading victim negotiations. Evidence suggests the DarkSide gang employs an identical approach in their ransomware development architecture.