2022-10-25

Connecting Ransom Cartel Ransomware with REvil

Level: 
Tactical
  |  Source: 
Palo Alto Unit42
Education
Energy
Manufacturing
Industrial
Share:

Connecting Ransom Cartel Ransomware with REvil

Unit42 researchers have reported activity from Ransom Cartel ransomware as a service (RaaS) that emerged in mid-December 2021 with potential connections to REvil ransomware. The REvil ransomware gang is most renowned for its July 2021, attack against the managed service provider, Kaseya. The group went dark when eight REvil members were arrested in January 2022. Similarities between the groups were identified by Unit42 based on overlaps in techniques, tactics, and procedures (TTPs) and a resemblance in the ransomware malware source code. A connection is likely to exist as REvil's malware has never leaked, thus any usage of the code would be through rebranding and revival efforts. Unit42's analysis of the ransomware discovered "Both use Salsa20 and Curve25519 for file encryption, and there are very few differences in the layout of the encryption routine besides the structure of the internal type structs." A distinction in Ransom Cartel's code is the absence of obfuscation, "hinting that the group may not possess the obfuscation engine used by REvil." Ransom Cartel operators usually obtain initial access through compromised credentials, buying access from initial access brokers, or through credential harvesting campaigns. Operations conducted by Ransom Cartel involve double extortion with large ransom demands and pressuring victims with data leaks to obtain ransom payments. Notable tools and techniques used by Ransom Cartel include the PrintNightmare vulnerability for privilege escalation, LaZagne, and Mimikatz for credential harvesting, living off the land binaries (LOLBin) PowerShell, CMD and rundll32, PDQ Inventory for system and network information collection, BITsAdmin for tool transfer, Rclone and 7-zip for data collection. A unique tool used by Ransom Cartel is 'DonPAPI' used to search data protection API (DPAPI) on the host and harvest web browser credentials. Aside from the usage of DonPAPI, most of Ransom Cartel's TTPs are commonly observed in ransomware attacks. The coding similarity in the ransomware malware, strongly suggests a connection with REvil to have existed prior to Ransom Cartel's emergence.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now