Upstart Ransom Cartel linked to REvil veterans

Lesser of two REvils? There’s a relationship, say infosec bods, but not enough to say one evolved into the other

It has been almost a year since the ransomware gang Ransom Cartel was first detected and the crew over that time has racked up a steady drumbeat of victims in such countries as the United States and France and from a broad array of industry sectors.

Analysts at MalwareHunterTeam believe the group has been active since December 2021 and threat researchers with Palo Alto Networks' Unit 42 group first saw Ransom Cartel in action a month later. During most of 2022, defenders have been digging into the origins of the group. Now Unit 42 says Ransom Cartel shares some similarities with the notorious REvil ransomware-as-a-service (RaaS) gang.

However, does that mean REvil, which went dark just months before Ransom Cartel came to the surface, morphed into the new group and is just continuing with its nefarious ways under a new name?

The researchers aren't making that leap, but they believe that at one time those cybercriminals behind Ransom Cartel had made contact with their REvil counterparts, maybe as affiliates or in some other position.

"Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation," Unit 42 researchers Amer Elsad and Daniel Bunce write in a recent report.

There has been on-again, off-again talk about the return of REvil. The speculation about Ransom Cartel and its possible links to the Russia-based group – also known as Sodinokibi - illustrates again the fluid nature of the cybercrime world and the constantly evolving rise and fall of the criminal gangs. None of this surprises Andrew Barratt, vice president at Coalfire, a cybersecurity advisory firm.

"There is so much 'crime-as-a-service,'" Barratt told The Register. "They could be a customer (REvil was originally pitched as ransomware-as-a-service). It could also be a simple supplier relationship in place, but just a copycat given the success REvil had."

That said, "it's vitally important to track movements [of the cybercriminals and their groups] as we may see changes in the artifacts (files, locations, hashes, etc.) that give us indicators of compromise, or indicators of activity," he said.

"These are the very things defenders or forensic investigators need to be on top of and a shared awareness equals a greater defense over all."

REvil began operations in 2019 and became a major player in the ransomware field, hitting among others JBS Foods and Kaseya. It also drew attention from the US government, which leaned on Russian officials to do more to shut down cybercrime groups that Moscow had been shielding for years. The pressure helped lead to REvil essentially shutting its doors in late 2021 and the arrests in January of 14 suspected members by Russian officials.

However, REvil's influence remains, as demonstrated by the apparent ties linking Ransom Cartel to it.

"At this time, we believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments," Elsad and Bunce wrote. "This suggests there was a relationship between the groups at some point, though it may not have been recent."

Some of those crossovers include similarities in the ransom notes from each group – though those would be fairly simple to copy. Both use double-extortion methods – as do a growing number of groups. Ransom Cartel not only threatens to post the stolen data to its leak site if the demanded ransom isn't paid, but also to send the data to the victim's partners, competitors, and media.

Other similarities with REvil include the method both use to generate session secrets, "indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples," the researchers wrote. The data encryption scheme used by Ransom Cartel also is identical to those found in REvil samples, according to Unit 42.

There also are differences, including in how the encrypted data is stored. In addition, REvil would heavily obfuscate its ransomware – using such methods as string encryption and API hashing – while Ransom Cartel does essentially no obfuscation beyond the configuration.

"It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine," the Unit 42 researchers wrote.

In addition, Ransom Cartel uses DonPAPI to locate and retrieve credentials protected by Windows Data Protection API (DPAPI) in a technique known as "DPAPI dumping." The researchers wrote the tool had not been seen in previous incidents.

DonPAPI searches systems for files known to be protected by DPAPI, such as Wi-Fi keys, Remote Desktop Protocol (RDP) passwords, and credentials saved in web browsers. The tool also has ways to avoid detection by antivirus and endpoint detection and response (EDR) software.

"To compromise Linux ESXi devices, Ransom Cartel uses DonPAPI to harvest credentials stored in web browsers used to authenticate to the vCenter web interface," the researchers wrote.

There may not be anything conclusive yet about where the Ransom Cartel cybercriminals came from, but the search for answers is important.

"While there are a lot of advanced persistent threat (APT) groups in play, they have the same limitations on talent that legitimate businesses have," Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber, told The Register. "By tracking the groups over time, and looking for signatures in their techniques, it's possible to identify who the players are and, perhaps, give law enforcement the knowledge they need to act." ®

Editor's note: This article was revised after publication to remove our assertion that REvil was behind the Colonial Pipeline intrusion; that was attributed to another gang, DarkSide, which does have close links to REvil. We are happy to clarify the situation.

Similar topics

TIP US OFF

Send us news


Other stories you might like