Researchers uncover Ransom Cartel linked to REvil ransomware

Share post:

Security researchers from Unit 42 of the Palo Alto network have uncovered Ransom Cartel, a ransomware operation that bears similarities to the notorious REvil ransomware.

According to the researchers, the two cybercrime gangs have similarities in techniques, tactics and procedures (TTPs). They so share common ground in the code of their malware.

There is a tendency to assume Ransom Cartel is an offshoot of REvil, since the source code of REvil’s encrypting malware was never leaked on hacking forums. Therefore, any project using similar code is either a rebrand or a new operation launched by a core member of the original gang.

Both operations have similar encryption similarities with Ransom Cartel’s samples generating multiple pairs of public/private keys and session secrets similar to those of REvil.

Ransom Cartel and REvil also have similarities in the tactics, techniques and procedures (TTPs) used including double-extortion attacks, large ransom demands and a data leak site to pressure victims into paying a ransom.

Despite the similarities, the Ransom Cartel samples do not feature REvil’s strong obfuscation which could mean that the authors of the new malware are not in possession of REvil’s original obfuscation engine.

Unlike REvil, RansomCartel uses the Windows Data Protection API (DPAPI) technique to steal access data. This technique essentially involves using a tool called “DonAPI,” which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords and credentials saved in web browsers and then download and decrypt them locally on the machine.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways