Upstart Ransom Cartel linked to REvil veterans

2022-10-18 11:44

Now Unit 42 says Ransom Cartel shares some similarities with the notorious REvil ransomware-as-a-service gang.

The researchers aren't making that leap, but they believe that at one time those cybercriminals behind Ransom Cartel had made contact with their REvil counterparts, maybe as affiliates or in some other position.

"Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation," Unit 42 researchers Amer Elsad and Daniel Bunce write in a recent report.

Ransom Cartel not only threatens to post the stolen data to its leak site if the demanded ransom isn't paid, but also to send the data to the victim's partners, competitors, and media.

Other similarities with REvil include the method both use to generate session secrets, "Indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples," the researchers wrote.

"It is possible that the Ransom Cartel group is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine," the Unit 42 researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/18/revil_ransom_cartel_research/

#ransom #revil