IT security provider Palo Alto Networks and its malware analysis team Unit42 report new findings on "Ransom Cartel" - a ransomware as a service (RaaS) provider that first surfaced in mid-December 2021. Technically, there is overlap with the REvil ransomware.
This group of criminals perform dual ransomware attacks and share several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just months before the ransomware cartel emerged and just a month after 14 of its suspected members were arrested in Russia. When Ransom Cartel first emerged, it was unclear whether it was a rebrand of REvil or an independent threat actor reusing or mimicking the REvil ransomware code.
Ransom-Cartel ransomware under analysis
Palo Alto Networks and Unit42 present the Ransom-Cartel ransomware and an assessment of the possible links between REvil and the Ransom-Cartel ransomware in their latest analysis. In October 2021 it became quiet around the REvil operators. REvil's dark web leak site became unavailable. Around mid-April 2022, individual security researchers and cybersecurity media reported a new development at REvil that could spell the return of the gang.
In parallel, Palo Alto Networks ransomware first observed Cartel around mid-January 2022. Security researchers from MalwareHunterTeam believe the group has been active since at least December 2021. They observed the first known Ransom Cartel activity and found several similarities and technical overlaps with REvil ransomware. Unit 42 has also observed ransom cartel groups targeting organizations, with the first known victims we observed in January 2022 in the US and France. Ransom Cartel targeted organizations in the following verticals: Education, Manufacturing, and Utilities & Energy.
Ransomware-as-a-Service as a business
The criminals behind Ransom Cartel are actors offering to sell compromised network access. Their motivation is not to launch cyberattacks themselves, but to sell access to other threat actors. Given the profitability of ransomware, these brokers are likely to have working relationships with RaaS groups based on the amount they are willing to pay. Unit 42 has seen evidence that Ransom Cartel relied on these types of services to gain initial access to deliver ransomware.
Conclusion of the security experts
Ransom Cartel is one of many ransomware families that have emerged in 2021. While Ransom Cartel uses dual blackmail and some of the same TTPs often seen in ransomware attacks, this type of ransomware uses less common tools - DonPAPI, for example - not previously seen in other ransomware attacks.
Ransom Cartel operators clearly had access to the original source code of the REvil ransomware. However, they don't seem to have the obfuscation engine that encrypts or hides strings and API calls. Therefore, the security experts speculate that the ransom cartel operators had some relationship with REvil group before starting their own operation.
Further evaluations of the group and technical information can be found online at Unit42.
More at PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.
One thought on "Ransom Cartel ransomware-as-a-service comes from REvil?"
Comments closed