It’s been nearly a year since the nascent ransomware gang, Ransom Cartel, was first discovered, and in that time the group has amassed a steady drumbeat of victims in countries like the United States and France, and across a variety of industries.
Analysts from MalwareHunterTeam believe the group has been active since December 2021, and threat researchers from Palo Alto Networks’ Unit 42 group first saw Ransom Cartel in action a month later. For most of 2022, defenders have been digging into the origins of the group. Now, Unit 42 says Ransom Cartel shares some similarities with the notorious ransomware-as-a-service (RaaS) gang REvil.
However, does that mean that REvil – which was behind last year’s high-profile attack on Colonial Pipeline and basically went dark just months before the ransom cartel emerged – has morphed into the new group, continuing its nefarious ways under a new name ?
Researchers aren’t making that leap, but they believe the cybercriminals behind Ransom Cartel once made contact with their REvil counterparts, perhaps as partners or in a different position.
“Speculate based on the fact that the Ransom Cartel operators clearly have access to the original source code of the REvil ransomware, but probably do not have the obfuscation engine used to encrypt strings and hide API calls We found that the Ransom Cartel operators had a relationship with the REvil group at one point before they launched their own operation,” write Unit 42 researchers Amer Elsad and Daniel Bunce in a recent report.
The return of REvil has been talked about over and over again. The speculation surrounding the ransom cartel and its possible links to the Russia-based group – also known as Sodinokibi – once again highlights the fluid nature of the cybercrime world and the ever-evolving rise and fall of criminal gangs. All of this comes as a surprise to Andrew Barratt, vice president at Coalfire, a cybersecurity consulting firm.
“There’s so much ‘crime as a service,'” Barratt said The registry. “You could be a customer (REvil was originally offered as ransomware-as-a-service). It could also be a simple supplier relationship, but just a copycat given the success REvil has had.”
However: “It is crucial to track movements [of the cybercriminals and their groups] as we may see changes in the artifacts (files, locations, hashes, etc.) that give us clues about compromises or indicators of activity,” he said.
“These are exactly the things that defense attorneys or forensic investigators need to keep in mind, and shared awareness equates to better defense over all.”
REvil began operations in 2019 and has become a major player in ransomware, highlighted by attacks such as those on Colonial Pipeline, JBS Foods, and Kaseya. It also caught the attention of the US government, which was leaning on Russian officials to do more to shut down cybercrime groups it had been shielding for years. The pressure contributed to REvil essentially closing its doors at the end of 2021, with 14 members arrested by Russian officials in January.
However, REvil’s influence remains, as evidenced by the obvious connections linking Ransom Cartel to it.
“At this point in time, we believe the Ransom Cartel operators had access to previous versions of the REvil ransomware source code, but not some of the latest developments,” wrote Elsad and Bunce. “This suggests that a relationship existed between the groups at some point, although it may not be recent.”
Some of these crossovers contain similarities in each group’s ransom notes – although these would be fairly easy to duplicate. Both employ methods of double racketeering – as do a growing number of groups. Ransom Cartel not only threatens to publish the stolen data on its leak site if the demanded ransom is not paid, but also to send the data to the victim’s partners, competitors and media.
Other similarities to REvil include the method they both use to generate session secrets, “pointing to a direct overlap between the REvil source code and the latest Ransom Cartel samples,” the researchers wrote. The data encryption scheme used by Ransom Cartel is also identical to that found in REvil samples, according to Unit 42.
There are also differences, including how the encrypted data is stored. Additionally, REvil would heavily obfuscate its ransomware — using methods like string encryption and API hashing — while Ransom Cartel essentially does no obfuscation beyond configuration.
“It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actors group, where people only own the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine,” so the Unit 42 researchers wrote.
Additionally, Ransom Cartel uses DonPAPI to locate and retrieve credentials protected by the Windows Data Protection API (DPAPI) in a technique known as “DPAPI dumping”. The researchers wrote that the tool had not been seen in previous incidents.
DonPAPI scans systems for files known to be protected by DPAPI, such as B. Wi-Fi keys, Remote Desktop Protocol (RDP) passwords and credentials stored in web browsers. The tool also provides ways to avoid detection by antivirus and endpoint detection and response (EDR) software.
“To compromise Linux ESXi devices, Ransom Cartel uses DonPAPI to collect credentials stored in web browsers used to authenticate to the vCenter web interface,” the researchers wrote.
Where the cybercriminals of the ransom cartel came from may not be conclusive yet, but finding answers is important.
“Although there are many Advanced Persistent Threat (APT) groups at play, they have the same talent limitations as legitimate companies,” said Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber The registry. “By tracking the groups over time and finding signatures in their techniques, it is possible to identify the players and potentially provide law enforcement with the knowledge they need to take action.” ®
https://www.theregister.com/2022/10/18/revil_ransom_cartel_links/ Ransomware cartel linked to colonial pipeline attacker REvil • The Register