October 19, 2022

Security researchers from Unit 42 of the Palo Alto network have uncovered Ransom Cartel, a ransomware operation that bears similarities to the notorious REvil ransomware.

According to the researchers, the two cybercrime gangs have similarities in techniques, tactics and procedures (TTPs). They so share common ground in the code of their malware.

There is a tendency to assume Ransom Cartel is an offshoot of REvil, since the source code of REvil’s encrypting malware was never leaked on hacking forums. Therefore, any project using similar code is either a rebrand or a new operation launched by a core member of the original gang.

Both operations have similar encryption similarities with Ransom Cartel’s samples generating multiple pairs of public/private keys and session secrets similar to those of REvil.

Ransom Cartel and REvil also have similarities in the tactics, techniques and procedures (TTPs) used including double-extortion attacks, large ransom demands and a data leak site to pressure victims into paying a ransom.

Despite the similarities, the Ransom Cartel samples do not feature REvil’s strong obfuscation which could mean that the authors of the new malware are not in possession of REvil’s original obfuscation engine.

Unlike REvil, RansomCartel uses the Windows Data Protection API (DPAPI) technique to steal access data. This technique essentially involves using a tool called “DonAPI,” which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords and credentials saved in web browsers and then download and decrypt them locally on the machine.

The sources for this piece include an article in BleepingComputer.