Affiliates are instructed to create a new account on
MEGA, the file-sharing service (which ransomware groups are told to pay for with Bitcoin, to maintain anonymity). As shown in the image below, once the affiliate knows which files need to be uploaded, they’re instructed to create an Rclone config file. A help file also warns the affiliate to limit the number of streams (simultaneous uploads) they create, because creating too many streams could alert the target to the affiliate’s presence.