Ransomware Syndicate ‘Ransom Cartel’ Found Having Strong Ties With the Now-defunct Revil Gang


Ransom Cartel, a relatively new ransomware syndicate, has strong ties to the infamous REvil ransomware gang. Recent evidence suggests that the Russia-based REvil continues to have a “malicious influence,” as Palo Alto Networks terms it, despite the gang being operationally defunct since October 2021.

Palo Alto Networks’ cyber intelligence arm Unit 42 observed Ransom Cartel activity around mid-January 2022, though there is reason to believe the ransomware group emerged in December 2021, two months after the REvil gang was taken down in a joint operation by U.S. government and foreign law enforcement agencies and private players.

According to a technical writeup by Unit 42, Ransom Cartel has several similarities and technical overlaps with REvil, the notorious cybercriminal entity behind some of last year’s major attacks, including attacks on Taiwanese computer maker Acer, Apple’s Taiwanese supplier Quanta, the world’s largest processed meat supplier JBS Foods, IT vendor Kaseya, Sol Oriens, a U.S. Department of Energy subcontractor for nuclear weapons consulting, and others.

The widespread ramifications of these cyberattacks led to rigorous scrutiny by law enforcement, including 14 arrests of alleged members by Russia’s FSB, which killed off REvil operations. However, it looks like the REvil gang, also known as Sodinokibi, has passed on its know-how to those with whom it had previous connections.

“We believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments,” Unit 42 said. “This suggests there was a relationship between the groups at some point, though it may not have been recent.”

The code structure of the two Ransom Cartel strains that Unit 42 analyzed bears similarities to REvil, utilizes the same JSON format with some additional values (pid, sub, fast, wipe and dmn), has an identical encryption scheme, creates session secrets using the same procedure, leverage Salsa20 and Curve25519 for encryption with minimal discrepancies in the encryption routine.

Ransom Cartel also carries out double extortion, offers ransomware-as-a-service (RaaS), and is quite aggressive given it threatens to not only leak exfiltrated (read: stolen) data on their leak site but also to its victims’ competitors, partners and the media.

See More: Cybersecurity Awareness Month: Eight Security Insights That You Should Know

Unit 42 said multiple Ransom Cartel tactics, techniques, and procedures (TTPs) suggest links to REvil. However, it also employs DonPAPI, an uncommon tool used to search for DPAPI blobs (Wi-Fi keys, RDP passwords, credentials saved in web browsers, and more) not used in any other known ransomware attacks.

However, Ransom Cartel does deviate a tad from REvil as the former doesn’t have the obfuscation engine that the latter used to encrypt strings and hide API calls. The cybercriminal group also leverages tools such as LaZagne and Mimikatz and has thus far targeted education, manufacturing, utilities and energy organizations.

Ransom Cartel’s use of DonPAPI, LaZagne and Mimikatz indicates that it relies on stolen credentials to establish initial access into the target network. Environments that it typically targets include external remote services, remote desktop protocol (RDP), secure shell protocol (SSH) and virtual private networks (VPNs).

“Due to the high-profile nature of some organizations targeted by Ransom Cartel and steady stream of Ransom Cartel cases identified by Unit 42, the operator and/or affiliates behind the ransomware likely will continue to attack and extort organizations,” Unit 42 added.

For indicators of compromise and more technical details, refer to Unit 42’s technical writeupOpens a new window .

In April 2022, researchers discovered that the leak site of REvil was back online. Visiting the site would redirect the user to a new leak site (active since mid-December) that listed REvil victims. Both white and black hats were skeptical, with the former speculating it to be the work of an impostor or a honeypot by law enforcement since they were the ones who had access to the original leak site (called Happy Blog).

Later in the same month, researchers stumbled upon a new REvil variant sharing a similar codebase, albeit with limited capabilities.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock