Researchers at Palo Alto Network’s Unit 42 have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil cybercrime gang.
The REvil group was one of the most active ransomware gangs in the first half of 2021, in October 2021 the gang shut down its operations due to the pressure of law enforcement.
The REvil group was behind one of the most devastating supply chain attacks, the Kaseya hack.
The Ransom Cartel operation was launched in December 2022, and security experts at MalawareHunterTeam were among the first research teams to speculate a possible link with Revil.
According to Palo Alto Networks, the malicious code used by the two groups has many similarities suggesting a rebranding operation.
Ransom Cartel gang seems to have had access to earlier versions of REvil ransomware source code, but not some of the most recent developments. This suggests there was an initial relationship between the two gangs that for some reason was interrupted.
Both groups relied on initial access brokers to acquire access to compromise networks and deploy their ransomware.
Unit 42 has analyzed two different ransom notes left by the Ransom Cartel on compromised systems, one in January 2022 and the second in August 2022. While the second one appeared to be completely rewritten, the first ransom note used by Ransom Cartel is similar to the note sent by REvil.
The encryptors used by the two gangs have some similarities in the structure of the configuration, but one of the main differences is that REvil relies on heavy obfuscation of the code while the Ransom Cartel has almost no obfuscation outside of the configuration. Experts believe that the ransomware group may not have access to the portion of code used by the REvil malware used for the obfuscation.
“It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine.” reads the report published by Unit42.
The analysis of the decrypted REvil configuration revealed the use of the same JSON format, but the REvil configuration has more values than Ransom Cartel. The presence of pid, sub, fast, wipe and dmn values in the REvil configuration suggests it supports more functionalities.
Most of the similarities between the two malicious codes relate to the encryption scheme.
“This method of generating session secrets was documented by researchers at Amossys back in 2020; however, their analysis focused on an updated version of Sodinokibi/REvil ransomware, indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples.” continues the report.
“Both use Salsa20 and Curve25519 for file encryption, and there are very few differences in the layout of the encryption routine besides the structure of the internal type structs.”
The researchers also detailed overlap in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel. Unit 42 researchers reported that the threat actor also uses a tool called DonPAPI to locate and retrieve Windows Data Protection API (DPAPI) protected credentials (DPAPI dumping). The tool was never used by the REvil gang in its operations.
The researchers also observed the gang using additional tools, including LaZagne to recover credentials stored locally and Mimikatz for credentials harvesting.
“Ransom Cartel is one of many ransomware families that surfaced during 2021. While Ransom Cartel uses double extortion and some of the same TTPs we often observe during ransomware attacks, this type of ransomware uses less common tools – DonPAPI for example – that we haven’t observed in any other ransomware attacks.” concludes the report. £Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]