Believed to have launched in December 2021, Ransom Cartel has made victims of organisations from among the education, manufacturing, utilities, and energy sectors with aggressive malware and tactics that resemble those used by REvil.
The group employs double extortion, combining data encryption with data theft and subsequent threats to release stolen information on their data leak website. However, the group goes one step further and threatens to send sensitive information to the victim’s partners, competitors, and news outlets in an attempt to inflict as much reputational damage as possible.
“We believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments,” researchers from Palo Alto Networks said in an analysis of the ransomware code. “This suggests there was a relationship between the groups at some point, though it may not have been recent.”
Initial access and lateral movement toolset
Ransom Cartel attackers make heavy use of stolen credentials for gaining initial access to victim organisations. This includes credentials for various services that are accessible from the internet, remote desktop protocol (RDP), secure shell protocol (SSH), and virtual private networks (VPNs).
The group’s affiliates –hackers who distribute the ransomware for a hefty cut of the ransom payments – obtain these credentials themselves or acquire them from initial access brokers on the underground market.
“Initial access brokers are actors who offer to sell compromised network access,” Palo Alto Networks’ researchers said. “Their motivation is not to carry out cyber attacks themselves but rather to sell the access to other threat actors.
"Due to the profitability of ransomware, these brokers likely have working relationships with RaaS groups based on the amount they are willing to pay. Unit 42 has seen evidence that Ransom Cartel has relied on this type of service to gain initial access for ransomware deployment.”
Once inside a corporate network, the goal of Ransom Cartel attackers is to steal additional credentials and gain access to Windows and Linux VMWare ESXi servers. The attackers were seen using an open-source tool called DonPAPI that can locate and dump credentials stored using the Windows Data Protection API (DPAPI).
DonPAPI searches DPAPI blobs for credentials stored by Windows task scheduler, Windows Vaults, Windows RDP, WiFi keys, AdConnect and more. However, it can also extract non-DPAPI secrets from Internet Explorer, Chrome, Firefox, VNC, and mRemoteNG. The credentials stored in browsers can include those used to authenticate to the VMware vCenter interface and can be used to access ESXi servers.
“To avoid the risk of detection by antivirus (AVs) or endpoint detection and response (EDR), the tool downloads the files and decrypts them locally,” the Palo Alto researchers said.
After authenticating to vCenter, attackers enable SSH and create new accounts with the user identifier (UID) set to zero, which on Linux means root. This allows them to bypass security checks and maintain persistent access to the servers.
The file encryption program used on Linux machines specifically looks for files with the .log, .vmdk, .vmem, .vswp and .vmsn extensions, which are associated with ESXi snapshots, log files, swap files, paging files, and virtual disks.
Other credential dumping tools that Ransom Cartel attackers used included LaZagne and Mimikatz. A legitimate tool called PDQ Inventory that’s popular with IT administrators was used to scan the network and collect information about hardware, software, and Windows configurations.
Other tools observed in use included Advanced Port Scanner and netscan.exe for network scans, Putty for SSH connections, AnyDesk for remote desktop, the Cobalt Strike implant for command and control, and Rclone for data exfiltration. The PrintNightmare exploit (CVE-2021-1675, CVE-2021-34527 and CVE-2021-34481) was used for privilege escalation.
Code similarities to REvil
The Windows ransomware program has an encrypted configuration file that contains the attackers’ Curve25519-donna key used in the encryption routine; a list of files, folders, and extensions to avoid encrypting; a list of processes and system services to terminate; and the ransom note contents.
The list of processes includes back-up services such as BackupExecVSSProvider, Veeam, Acronis, database services including Microsoft Exchange and MSSQL, security products such as Sophos, email clients and browsers and more.
The encryption routine involves generating a local Curve25519 key pair, then a session key pair where the private key is paired with the attacker’s public key distributed as part of the ransomware configuration. The resulting key is hashed with SHA3 and the hash is used as a key for AES encryption. Additional session keys are being generated, with a public-private key pair for each file which is ultimately encrypted using the Salsa20 algorithm.
“This method of generating session secrets was documented by researchers at Amossys back in 2020; however, their analysis focused on an updated version of Sodinokibi/REvil ransomware, indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples,” the Palo Alto researchers said.
In addition to the strong similarity in encryption and key generation methods between REvil and Ransom Cartel’s ransomware programs, there are overlaps in the way the encrypted configuration is stored in the ransomware binary and the way it’s formatted once decrypted.
However, REvil has more entries that are missing from the Ransom Cartel configuration, which could suggest the creators of the latter either removed features or only had access to an earlier variant of REvil.
Ransom note is similar to Revil’s
Another similarity is the ransom note. In early variants of Ransom Cartel, the ransom note was almost identical in formatting and language to the ransom note used by REvil.
The only difference was in the instructions to access the Tor website used for communication with victims, which requires authentication using a unique key generated by the ransomware for every victim. Later versions, observed in August 2022, had a significantly different ransom note.
“A particularly interesting difference between the two malware families is that REvil opts to obfuscate their ransomware much more heavily than the Ransom Cartel group, utilising string encryption, API hashing and more, while Ransom Cartel has almost no obfuscation outside of the configuration, hinting that the group may not possess the obfuscation engine used by REvil,” the Palo Alto researchers said.
A connection with REvil is likely to be problematic for the Ransom Cartel operators, given REvil’s notoriety, so it wouldn’t be surprising if they are intentionally trying to hide it.
Operating between 2019 and 2021, REvil or Sodinokibi, were some of the early pioneers of manually deployed ransomware instead of relying on automated infection through routines in the ransomware code. They achieved that by borrowing lateral movement and living-off-the-land techniques from APT-style cyber espionage attacks, setting the ground for the tactics that most ransomware groups use today.
A Ransom Cartel connection with REvil?
The use of such techniques made them very successful at breaking into a large number of organisations, which ultimately attracted the attention of governments at the highest levels. In July 2021, a REvil affiliate exploited zero-day vulnerabilities in an IT management tool developed by a company called Kaseya.
The attack allowed them to compromise more than 30 managed service providers (MSPs) from around the world and more than 1,000 business networks managed by those MSPs. The incident prompted a discussion between US President Joe Biden and Russia's President Vladimir Putin, with Biden calling for Russian authorities to take a harder stance on ransomware groups.
A couple of months later REvil shut down its operations and disbanded, possibly following a crackdown from Russian law enforcement. In November 2021, the DOJ announced indictments against two REvil affiliates, one of whom was believed to have been involved in the Kaseya attack and was arrested in Poland.
At the same time, Europol announced the arrest of five other REvil affiliates. Given the heat that REvil affiliation seemed to attract, it wouldn’t be surprising if some splintered off and rebranded.
“Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation,” the Palo Alto researchers said.
“Due to the high-profile nature of some organisations targeted by Ransom Cartel and steady stream of Ransom Cartel cases identified by Unit 42, the operator and/or affiliates behind the ransomware likely will continue to attack and extort organisations.”