The REvil ransomware (Sodinokibi) operation has deposited 99 Bitcoins (approximately $1 million USD) on a Russian-speaking hacker forum to prove to its affiliates that they mean business. The ransomware group posted on a Russian cybercrime forum that they are now recruiting new affiliates to compromise networks and deploy their ransomware. Many ransomware operations are conducted using a profit-sharing model known as Ransomware-as-a-Service (RaaS), where developers are in charge of building the ransomware and payment sites, and affiliates are recruited to use the software to compromise businesses for ransom. The normal arrangement is that the developers receive a 20-30% cut and the affiliate receives 70-80% of the ransom payments they generate. The more favorable split of 80/20 is given to affiliates that generate more than $1 million USD per week in ransom payments. The affiliates are expected to continuously compromise new victims—if there is no new activity for ten days, their relationship will be ended. The REvil operators handle negotiations with the victims, but allow the affiliates to participate if they wish to. REvil is a private organization, which means that potential affiliates are vetted before they are allowed access to the software. The 99-bitcoin deposit illustrates that they can spend $1 million without hesitation which will entice new affiliates to enter into the application process.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in