They analyzed the TTPs including the encryption scheme, double extortion tactics, and a leak site – all of which resemble Ravil procedures. While the new gang doesn’t have the level of obfuscation that REvil maintained in its code, it exploits the Windows Data Protection API as a new vector.
Ransom Cartel Ransomware
If you can the name of remembering REvil ransomware, you must know it was one of the most notorious cybercrime gangs in the history of infosec. Been so active in the first half of 2021, REvil gang had compromised thousands of companies in a Kaseya MSP supply-chain attack, stolen blueprints of unreleased Apple products, and demanded one of the highest ransoms of $50 million from Acer. While it was forced to shut down in October 2021, citing intense pressure from law enforcement, there’s always a hope that the core members of REvil ransomware would come back up in a new fashion. And we have one now showing similar features, making us believe it to be the reincarnation of REvil ransomware. Named the Ransom Cartel, researchers at Palo Alto Network’s Unit 42 debriefed on its techniques, tactics, and procedures (TTPs) – and linked it to the REvil ransomware. And since the encrypting malware of REvil has never leaked on any hacking forums, any new project using similar code is either a rebrand or a restart of a similar service by the core members.
— MalwareHunterTeam (@malwrhunterteam) January 21, 2022 Analyzing its encryptors, researchers found similarities in the structure of the configuration embedded in the malware, while the storage locations are different. Yet, the way Ransom Cartel samples are generated in multiple pairs of public/private keys and session secrets – resembles that of REvil system. Though the Ransom Cartel doesn’t have REvil-level of obfuscation in its code, it stands out by using a new vector of Windows Data Protection API (DPAPI) to steal credentials. The gang named it “DonPAPI” – and uses it to search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers. They’re then downloaded and decrypted locally on the machine and used for hitting the Linux ESXi servers or authenticating to vCenter web interfaces. Further, they shut down the VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn). All these make us believe that the new threat actors are expert hackers and are possibly reviving the REvil ransomware.