Researchers: REvil Ransomware Reincarnated as Ransom Cartel

Researchers: REvil Ransomware Reincarnated as Ransom Cartel

A relatively new ransomware group in the field named Ransom Cartel is linked to the now-defunct REvil ransomware based on it’s techniques, tactics, and procedures (TTPs).

Analyzing it’s codebase, researchers at Palo Alto Networks Unit 42 said the new threat actor doesn’t have deep code obfuscation as REvil but shares most of it’s core encryption policies while also exploiting Windows Data Protection API as a new vector.

Ransom Cartel Synopsis

Researchers at Palo Alto Networks Unit 42 have noted that Ransom Cartel, a relatively new ransomware gang, has most of it’s operations flow and malware code similar to that of REvil ransomware – which is now defunct.

REvil operations took place in early last year when it hit thousands of companies through a Kaseya MSP supply-chain attack and later continued to take on high targets like Apple and Acer and demand tens of millions of ransoms. Well, it eventually shut it’s doors owing to growing negative attraction from law enforcement, with some of them being arrested by Russian police early this year.

Yet, cybersecurity experts strongly believe that the core members of the REvil ransomware are still alive to take on a similar project soon. And there’s one now, called the Ransom Cartel – as debriefed by the researchers at Palo Alto Networks Unit 42.

Observing the techniques, tactics, and procedures (TTPs) of the Ransom Cartel, researchers linked it to REvil ransomware. Since the encrypting malware code has never leaked on any hacking forums, any new project having similar code should either be a rebrand of REvil, or a restart by the REvil’s core members.

Researchers said that encryptors used by both gangs have the same structure and configuration, although the storage locations are different. Further, the samples generated by Ransom Cartel – like the multiple pairs of public/private keys and session secrets sync with the REvil system.

Though the new group doesn’t have deep obfuscation as REvil’s, they’re found to be using a new vector – the Windows Data Protection API (DPAPI) for stealing credentials. Researchers noted the tool named asDonPAPI” in their code, which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers.

Threat actors steal them and use them to compromise the Linux ESXi servers and authenticate to their vCenter web interfaces. Further, they’re said to be terminating all the VMs and their related processes before encrypting the files. All these make us believe the new threat actors are expert hackers.

Other Trending News:-  News

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Zuckerberg Highlights WhatsApp in iMessage vs Google Messages Debate

Zuckerberg Highlights WhatsApp in iMessage vs Google Messages Debate

Next Post
Netflix Logo

Netflix to Charge You Extra For Sharing Accounts From Q1 2023

Related Posts