{"id":3250,"date":"2021-09-27T15:23:50","date_gmt":"2021-09-27T15:23:50","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3250"},"modified":"2026-06-08T23:07:37","modified_gmt":"2026-06-08T23:07:37","slug":"revil-ransomware-backdoor","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/revil-ransomware-backdoor\/","title":{"rendered":"Backdoor inside REvil Ransomware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Within a known criminal underground forum, a user published evidence of a <em>backdoor<\/em> embedded in the <strong>REvil Ransomware<\/strong>. The backdoor would permit ransomware developers to <strong>generate decryption keys<\/strong> independently of the affiliate who physically executed the attack.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/ua_ransomware-1024x576-1.gif\" alt=\"\" class=\"wp-image-3902\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">The REvil RaaS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>REvil<\/strong> is a ransomware belonging to the <strong>RaaS (Ransomware-as-a-Service)<\/strong> family, whose deployment is provided by operators to criminal groups under an affiliate system. The affiliate model offers criminal groups the convenience of avoiding malware development\u2014a resource-intensive activity prone to technical complications\u2014while providing ready-made software and a platform aligned with attacker requirements. Developers receive compensation derived from ransom payments extracted from victims.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The backdoor<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The identified code appears to permit <strong>REvil<\/strong> developers to decrypt victim files through a <strong>Master Key<\/strong> in their possession, from which all other encryption keys would be derived. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> tracking indicates this mechanism represents a critical architectural flaw in the RaaS trust model.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exploitation of this <em>backdoor<\/em> would enable the ransomware development team to circumvent affiliates, thereby evading victim negotiations. Evidence suggests the <strong>DarkSide gang employs an identical approach<\/strong> in their ransomware development architecture.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Backdoor discovered inside the REvil ransomware affiliate build: developer access to victim payments, affiliate-trust implications and underground reactions.<\/p>\n","protected":false},"author":1,"featured_media":3890,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3290,1475,3291,1443,3289,1629,295],"class_list":["post-3250","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-affiliate-trust","tag-backdoor-it","tag-developer-skimming","tag-ransomware-it","tag-ransomware-backdoor","tag-revil-it","tag-revil"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3250"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3250\/revisions"}],"predecessor-version":[{"id":9903,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3250\/revisions\/9903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3890"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}