Ransom Cartel Linked to Russia-Based REvil Ransomware Group

The team behind the ransomware as a service (RaaS) group known as Ransom Cartel has been associated with the notorious REvil gang.

The claims come from Palo Alto Networks’ security research team Unit 42, which shared a new technical write-up about Ransom Cartel with Infosecurity over the weekend.

According to the advisory, the REvil ransomware stopped operating roughly two months before Ransom Cartel made its debut and just one month after 14 of its alleged members were arrested in Russia. 

“When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code,” Unit 42 wrote.

However, in time, the collection became clearer, mainly through the tools used by both threat actors.

“While Ransom Cartel uses double extortion and some of the same [tactics, techniques and procedures] TTPs we often observe during ransomware attacks, this type of ransomware uses less common tools – DonPAPI, for example – that we haven’t observed in any other ransomware attacks.”

Based on their investigation, the security researchers also observed that the Ransom Cartel operators have access to the original REvil ransomware source code but likely do not possess the obfuscation engine used to encrypt strings and hide API calls.

“We speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point before starting their own operation,” the advisory reads.

“Due to the high-profile nature of some organizations targeted by Ransom Cartel and steady stream of Ransom Cartel cases identified by Unit 42, the operator and/or affiliates behind the ransomware likely will continue to attack and extort organizations,” warned the security experts.

To protect their systems from Ransom Cartel attacks, Unit 42 called for companies to deploy anti-ransomware software and to review the indicators of compromise for the threat, which are available in the advisory’s original text.

Its publication comes amidst a definite increase in ransomware attacks and their financial impact on companies worldwide, as suggested by a recent report by Acronis.


Leave a Reply

Your email address will not be published. Required fields are marked *