Earlier this month a threat actor advertised the 2.0 release of their ransomware builder Redeemer on hacker forums. The new 2.0 version includes several quality-of-life improvements, including campaign tracking, Windows 11 support, and a Graphical User Interface for the builder toolkit and decryptor. This builder’s Ransomware-as-a-Service (RaaS) model is free to use, but upon a paid ransom the user is required to send 20% of the ransom to the creator in exchange for the master key required to decrypt the victim’s files. The threat actor also stated, just as with Redeemer 1.0, that if they lose interest in the project, they will open-source it.
Free-to-use RaaS greatly reduces the barrier to entry for attackers, enabling highly motivated but low-skilled threat actors to attack companies, especially under-funded or under-secured organizations. However, Redeemer itself doesn’t perform any novel actions, which means that many pre-existing ransomware detections will likely identify an infection. Companies should verify that they are detecting Windows Event Logs being cleared, shadow copies being deleted, and system state backups being deleted.