Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations’ encryptors.
REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.
The REvil ransomware gang finally shut down in October 2021 following intense pressure from law enforcement. However, in January 2022, the Russian authorities announced arrests, money seizures, and charges against eight of the gang’s members.
In December 2021, a new ransomware operation named ‘Ransom Cartel’ was launched that shared many code similarities to REvil’s malware.
A possible rebrand?
A new report from Palo Alto Network’s Unit 42 sheds further light on the connection between the two cybercrime gangs, sharing similarities in techniques, tactics, and procedures (TTPs) and, most importantly, common ground in the code of their malware.
Because the source code of REvil’s encrypting malware was never leaked on hacking forums, any new project using similar code is either a rebrand or a new operation launched by a core member of the original gang.
When analyzing encryptors for Ransom Cartel, the researchers found similarities in the structure of the configuration embedded in the malware, although the storage locations are different.
The samples analyzed by Unit 42 show that Ransom Cartel is missing some configuration values, meaning that the authors are either trying to make the malware leaner or that their basis is an earlier version of the REvil malware.
The encryption scheme is where the similarities become stronger, with Ransom Cartel’s samples generating multiple pairs of public/private keys and session secrets, an REvil system that shined in the Kaseya attacks.
“Both use Salsa20 and Curve25519 for file encryption, and there are very few differences in the layout of the encryption routine besides the structure of the internal type structs,” explains the report by Unit 42 researchers Daniel Bunce and Amer Elsad.
An interesting finding is that the Ransom Cartel samples do not feature REvil’s strong obfuscation, which might mean that the authors of the new malware don’t possess REvil’s original obfuscation engine.
Ransom Cartel operations
There are also similarities in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel, such as double-extortion attacks, large ransom demands, and a data leak site to pressure victims into paying a ransom.
However, one technique used by Ransom Cartel, and not seen in REvil attacks, is using the Windows Data Protection API (DPAPI) to steal credentials.
For this method, Ransom Cartel uses a tool named “DonPAPI,” which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine.
These credentials are then used to compromise Linux ESXi servers and authenticate to their vCenter web interfaces.
Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn).
The existence of DonPAPI, a not commonly used tool, indicates that the operators of Ransom Cartel are experienced threat actors.
Another REvil-linked ransomware operation?
While there are strong connections between Ransom Cartel and REvil, they are not the only ransomware gang currently using REvil’s code.
In April 2022, another ransomware operation we call ‘BlogXX’ was found, whose encryptors were almost identical to the REvil encryptors.
Researchers at the time told BleepingComputer that the BlogXX encryptor was not only compiled from REvil’s source code but also included new changes.
“Yes, my assessment is that the threat actor has the source code. Not patched like “LV Ransomware” did,” security researcher R3MRUM told BleepingComputer at the time.
AdvIntel CEO Vitali Kremez also told BleepingComputer that BlogXX’s encryptors included a new ‘accs’ configuration option that contained account credentials for the targeted victim.
Furthermore, the new ransomware operation used identical ransom notes and called themselves ‘Sodinokibi,’ an alternate name for REvil, on their Tor payment sites.
However, unlike Ransom Cartel, BlogXX’s history has an additional component that lends strong evidence that they are, in fact, the REvil rebrand.
After REvil’s shut down, the gang’s old Tor websites were revived, but this time redirected visitors to the BlogXX operation’s data leak site.
While these sites looked nothing like REvil’s previous websites, the fact that the old Tor sites were redirecting to BlogXX’s sites showed that the new operation had control of REvil’s Tor private keys.
As only the original REvil operators would possess these Tor private keys, it showed a strong connection between the two gangs.
While irrefutable evidence that BlogXX or Ransom Cartel are rebrands of the REvil operation is yet to be found, it’s quite clear that at least some of the original members are behind these new ransomware operations.