Ransom Cartel first appeared in December 2021 and performed double extortion attacks. REvil ransomware gang disappeared a few months before Ransom Cartel surfaced, in October 2021. Are they connected? Palo Alto researchers have shed light on the same.
Diving into details
The two ransomware gangs share similarities in TTPs and malware code.
- While the storage locations are different, researchers found similarities in the configuration structure embedded in the malware.
- It has been observed that Ransom Cartel lacks certain configuration values. This implies that the authors are either making the malware leaner or it is based on an earlier version of REvil ransomware.
- The similarities become stronger in the case of the encryption scheme. Ransom Cartel’s malware samples generated several pairs of private/public keys and session secrets, a system followed by the REvil gang during the Kaseya attack.
Attribution
While the researchers state that there is some kind of relationship between the two gangs, it cannot be said that Ransom Cartel is an evolution or rebrand of REvil ransomware.
- It is suspected that the actors behind Ransom Cartel have, at some point, made contact with REvil attackers.
- The above assumption is based on the fact that while Ransom Cartel possesses the original REvil source code, it doesn’t have the obfuscation engine required to encrypt strings and hide API calls.
The bottom line
There may not be any conclusive evidence of Ransom Cartel being an incarnation of the REvil gang, it is necessary to keep looking for definite answers to where Ransom Cartel came from. Moreover, Palo Alto researchers expect more attacks by Ransom Cartel to extort hand-picked organizations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/fa21_shutterstock_390081079.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6a57_shutterstock_1161055600.jpg)
