The bad guys are going to great lengths to ensure they make their money. As part of its Ransomware-as-a-Service, REvil is now expanding its services to aid in the extortion phase.

REvil/Sodinkibi has been a major player in the RWaaS market, providing its’ affiliate bad guys with functional ransomware malware and a payment site. They are relying on the affiliate to attack, infiltrate, and compromise the victim networks in order to deploy the ransomware. This split of duties brings REvil somewhere between 20-30% of the ransom, with the affiliate taking the remainder home.

So, it’s mutually beneficial to both parties that the ransom first, be paid and second, be as much as possible. The exfiltrating of data and extorting the victim organization to pay or face publication of the stolen data has been growing over the last year since it was first seen used by Maze.

But a new twist on the extortion saga is the launching of a calling service where REvil will call the victim organizations business partners, local media, and more to bring the attack to light and force the organization to pay up to regain its operations.

Shown below, the ad asks for affiliates to provide organization details, chat contacts and phone numbers to call.


Source: Twitter

The bad guys aren’t going to be satisfied with just taking your ransom payment; they’re going to ensure they squeeze the maximum amount of money out of your organization they can.