Researchers uncover Ransom Cartel linked to REvil ransomware

Share post:

Security researchers from Unit 42 of the Palo Alto network have uncovered Ransom Cartel, a ransomware operation that bears similarities to the notorious REvil ransomware.

According to the researchers, the two cybercrime gangs have similarities in techniques, tactics and procedures (TTPs). They so share common ground in the code of their malware.

There is a tendency to assume Ransom Cartel is an offshoot of REvil, since the source code of REvil’s encrypting malware was never leaked on hacking forums. Therefore, any project using similar code is either a rebrand or a new operation launched by a core member of the original gang.

Both operations have similar encryption similarities with Ransom Cartel’s samples generating multiple pairs of public/private keys and session secrets similar to those of REvil.

Ransom Cartel and REvil also have similarities in the tactics, techniques and procedures (TTPs) used including double-extortion attacks, large ransom demands and a data leak site to pressure victims into paying a ransom.

Despite the similarities, the Ransom Cartel samples do not feature REvil’s strong obfuscation which could mean that the authors of the new malware are not in possession of REvil’s original obfuscation engine.

Unlike REvil, RansomCartel uses the Windows Data Protection API (DPAPI) technique to steal access data. This technique essentially involves using a tool called “DonAPI,” which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords and credentials saved in web browsers and then download and decrypt them locally on the machine.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways