Ransom Cartel linked to Colonial Pipeline attacker REvil, says infosec crew

2022-10-18 11:44

Does that mean REvil - which was behind the high-profile attack on Colonial Pipeline last year and essentially went dark just months before Ransom Cartel came to the surface - morphed into the new group and is just continuing with its nefarious ways under a new name?

"Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation," Unit 42 researchers Amer Elsad and Daniel Bunce write in a recent report.

Ransom Cartel not only threatens to post the stolen data to its leak site if the demanded ransom isn't paid, but also to send the data to the victim's partners, competitors, and media.

Other similarities with REvil include the method both use to generate session secrets, "Indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples," the researchers wrote.

REvil would heavily obfuscate its ransomware - using such methods as string encryption and API hashing - while Ransom Cartel does essentially no obfuscation beyond the configuration.

"It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine," the Unit 42 researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/18/revil_ransom_cartel_links/

#infosec #ransom #revil