Threat researchers at Palo Alto’s Unit 42 have found a link between the relatively new Ransom Cartel ransomware operation and the now-defunct REvil ransomware syndicate.
The Revil/Sodinokobi group gained notoriety after a series of high-profile ransomware hacks, including Kaseya, Acer, Apple supplier Quanta, meat supplier JBS Foods, and Sol Oriens, a US Department of Energy subcontractor for nuclear weapons consulting. In October 2022, law enforcement agencies disrupted REvil’s infrastructure, and in January 2022 Russia’s FSB arrested 14 suspected members of the REvil team.
According to Unit 42, Ransom Cartel, which first surfaced in mid-December 2021, uses double extortion tactics and has several similarities and technical overlaps with REvil ransomware.
“REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia. When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code,” the report notes.
“…another major overlap is the code reuse across the two samples of Ransom Cartel. Both use an identical encryption scheme, generating multiple public/private key pairs, and creating session secrets using the same procedure found within REvil samples.”
The researchers believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments, suggesting that the two groups had had a relationship at some point.
“A particularly interesting difference between the two malware families is that REvil opts to obfuscate their ransomware much more heavily than the Ransom Cartel group, utilizing string encryption, API hashing and more, while Ransom Cartel has almost no obfuscation outside of the configuration, hinting that the group may not possess the obfuscation engine used by REvil,” the researchers said. “It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine.”
Ransom Cartel’s victim list includes organizations in education, manufacturing, utilities and energy industries. Like many other ransomware gangs, Ransom Cartel threatens to leak stolen data if a ransom is not paid.
The gang uses compromised credentials to gain initial access to a target organization. This includes access credentials for external remote services, remote desktop protocol (RDP), secure shell protocol (SSH) and virtual private networks (VPNs) obtained in the cyber underground.
“Ransom Cartel is one of many ransomware families that surfaced during 2021. While Ransom Cartel uses double extortion and some of the same TTPs we often observe during ransomware attacks, this type of ransomware uses less common tools – DonPAPI for example – that we haven’t observed in any other ransomware attacks,” Unit 42 said.