Looking at GandCrab and Sodinokibi/REvil's affiliate model.
McAfee has published research on the Sodinokibi/REvil ransomware, examining the ransomware-as-a-service (RaaS) business model and providing further evidence that the malware is linked to GandCrab. In addition to extensive code overlap outlined in McAfee's first report, the researchers found that many of GandCrab's favored affiliates have switched over to Sodinokibi, along with the top operators using other RaaS families, forming what the researchers call "a sort of all-star team." McAfee provides a detailed overview of Sodinokibi's affiliate model on GitHub.
McAfee was able to identify separate affiliates based on hardcoded values in GandCrab and Sodinokibi samples. The malware's developers give their affiliates a cut of the ransom, so they need a way of tracking which affiliate is responsible for which attacks. They seem to achieve this by using hardcoded IDs and sub IDs which correspond to each affiliate and their campaigns. McAfee identified some IDs that only showed up once, indicating affiliates which had been expelled from the RaaS network after failing to prove themselves. Four IDs in particular were seen many times, with the most successful affiliate's ID appearing in seventy-one unique GandCrab samples. Notably, none of these four most active affiliates' IDs were present in samples of the last version of GandCrab released in February, which the researchers believe could somehow be related to GandCrab's retirement several months later.
McAfee found that Sodinokibi uses an almost identical ID/Sub ID model, and some of its top affiliates display very similar behavior to the top-performing GandCrab groups.
The researchers observe that RaaS is vulnerable to the same weaknesses facing any other business model, and they see two primary ways to disrupt it. The first would be arresting the most profitable affiliates, which would lower income for developers and lead to an overall drop in morale. The second method is developing and releasing free decryptors for ransomware.