A relatively new ransomware group in the field named Ransom Cartel is linked to the now-defunct REvil ransomware based on it’s techniques, tactics, and procedures (TTPs).
Analyzing it’s codebase, researchers at Palo Alto Networks Unit 42 said the new threat actor doesn’t have deep code obfuscation as REvil but shares most of it’s core encryption policies while also exploiting Windows Data Protection API as a new vector.
Ransom Cartel Synopsis
Researchers at Palo Alto Networks Unit 42 have noted that Ransom Cartel, a relatively new ransomware gang, has most of it’s operations flow and malware code similar to that of REvil ransomware – which is now defunct.
REvil operations took place in early last year when it hit thousands of companies through a Kaseya MSP supply-chain attack and later continued to take on high targets like Apple and Acer and demand tens of millions of ransoms. Well, it eventually shut it’s doors owing to growing negative attraction from law enforcement, with some of them being arrested by Russian police early this year.
Yet, cybersecurity experts strongly believe that the core members of the REvil ransomware are still alive to take on a similar project soon. And there’s one now, called the Ransom Cartel – as debriefed by the researchers at Palo Alto Networks Unit 42.
Observing the techniques, tactics, and procedures (TTPs) of the Ransom Cartel, researchers linked it to REvil ransomware. Since the encrypting malware code has never leaked on any hacking forums, any new project having similar code should either be a rebrand of REvil, or a restart by the REvil’s core members.
There is a new ransomware gang that started working around the middle of December or earlier. There is only a few tweet related to them yet. No samples seen yet.
But we already can tell it is related to REvil in one way – question is how exactly.
ð€@demonslay335 @VK_Intel https://t.co/NQGf7iwuzG— MalwareHunterTeam (@malwrhunterteam) January 21, 2022
Researchers said that encryptors used by both gangs have the same structure and configuration, although the storage locations are different. Further, the samples generated by Ransom Cartel – like the multiple pairs of public/private keys and session secrets sync with the REvil system.
Though the new group doesn’t have deep obfuscation as REvil’s, they’re found to be using a new vector – the Windows Data Protection API (DPAPI) for stealing credentials. Researchers noted the tool named as “DonPAPI” in their code, which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers.
Threat actors steal them and use them to compromise the Linux ESXi servers and authenticate to their vCenter web interfaces. Further, they’re said to be terminating all the VMs and their related processes before encrypting the files. All these make us believe the new threat actors are expert hackers.
Other Trending News:- Â News