• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 

Watch out, Veeam fixed a new critical bug in Backup & Replication product

 | 

U.S. CISA adds Linux Kernel flaw to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • The missed link between Ransom Cartel and REvil ransomware gangs

The missed link between Ransom Cartel and REvil ransomware gangs

Pierluigi Paganini October 19, 2022

Researchers at Palo Alto Network’s Unit 42 linked the Ransom Cartel ransomware operation to the REvil ransomware operations.

Researchers at Palo Alto Network’s Unit 42 have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil cybercrime gang.

The REvil group was one of the most active ransomware gangs in the first half of 2021, in October 2021 the gang shut down its operations due to the pressure of law enforcement.

The REvil group was behind one of the most devastating supply chain attacks, the Kaseya hack.

The Ransom Cartel operation was launched in December 2022, and security experts at MalawareHunterTeam were among the first research teams to speculate a possible link with Revil.

There is a new ransomware gang that started working around the middle of December or earlier. There is only a few tweet related to them yet. No samples seen yet.
But we already can tell it is related to REvil in one way – question is how exactly.
🤔@demonslay335 @VK_Intel https://t.co/NQGf7iwuzG

— MalwareHunterTeam (@malwrhunterteam) January 21, 2022

According to Palo Alto Networks, the malicious code used by the two groups has many similarities suggesting a rebranding operation.

Ransom Cartel gang seems to have had access to earlier versions of REvil ransomware source code, but not some of the most recent developments. This suggests there was an initial relationship between the two gangs that for some reason was interrupted.

Both groups relied on initial access brokers to acquire access to compromise networks and deploy their ransomware.

Unit 42 has analyzed two different ransom notes left by the Ransom Cartel on compromised systems, one in January 2022 and the second in August 2022. While the second one appeared to be completely rewritten, the first ransom note used by Ransom Cartel is similar to the note sent by REvil.

Ransom Cartel Revil

The encryptors used by the two gangs have some similarities in the structure of the configuration, but one of the main differences is that REvil relies on heavy obfuscation of the code while the Ransom Cartel has almost no obfuscation outside of the configuration. Experts believe that the ransomware group may not have access to the portion of code used by the REvil malware used for the obfuscation.

“It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine.” reads the report published by Unit42.

The analysis of the decrypted REvil configuration revealed the use of the same JSON format, but the REvil configuration has more values than Ransom Cartel. The presence of pid, sub, fast, wipe and dmn values in the REvil configuration suggests it supports more functionalities.

Most of the similarities between the two malicious codes relate to the encryption scheme.

“This method of generating session secrets was documented by researchers at Amossys back in 2020; however, their analysis focused on an updated version of Sodinokibi/REvil ransomware, indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples.” continues the report.

“Both use Salsa20 and Curve25519 for file encryption, and there are very few differences in the layout of the encryption routine besides the structure of the internal type structs.” 

The researchers also detailed overlap in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel. Unit 42 researchers reported that the threat actor also uses a tool called DonPAPI to locate and retrieve Windows Data Protection API (DPAPI) protected credentials (DPAPI dumping). The tool was never used by the REvil gang in its operations.

The researchers also observed the gang using additional tools, including LaZagne to recover credentials stored locally and Mimikatz for credentials harvesting.

“Ransom Cartel is one of many ransomware families that surfaced during 2021. While Ransom Cartel uses double extortion and some of the same TTPs we often observe during ransomware attacks, this type of ransomware uses less common tools – DonPAPI for example – that we haven’t observed in any other ransomware attacks.” concludes the report. £Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime IT Information Security malware Pierluigi Paganini Ransom Cartel REvil ransomware Security Affairs Security News

you might also like

Pierluigi Paganini June 24, 2025
China-linked APT Salt Typhoon targets Canadian Telecom companies
Read more
Pierluigi Paganini June 24, 2025
U.S. warns of incoming cyber threats following Iran airstrikes
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    American steel giant Nucor confirms data breach in May attack

    Data Breach / June 23, 2025

    The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

    Cyber Crime / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT