Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

Ransom Cartel Group Linked to REvil Ransomware

Researchers at Unit 42 have been able to find connections between the Ransom Cartel Group and the now defunct REvil threat group. It appears that the Ransom Cartel Group managed to obtain the original source code of REvil, but lacks the obfuscation engine that encrypted strings and hid API calls. This research shows that there is likely a connection between the two groups, but it is not the REvil group rebranding under a different name. It is possible that some of the threat actors that were part of the original group are now part of the new group.

Analyst Notes

Both groups use double extortion techniques, which have become the standard amongst ransomware threat groups over the past few years. Double extortion refers to a criminal practice in which a ransom is demanded to release machines with encrypted data, but the group also attempts to extort an additional payment in order not to publicize files collected via data exfiltration.

It is not uncommon for some or all the actors from older ransomware groups to join new groups or rebrand their ransomware under a different name. In this case, it does not appear that this group has retained all the REvil threat actors, but it is possible that there is some overlap. The Ransom Cartel Group is a newer ransomware gang that is quickly expanding its number of victims. Industry standards and best practices for cybersecurity should be followed in order to avoid becoming the next victim of these groups. A continued focus on security control fundamentals such as implementing multi factor authentication (MFA) while removing legacy access routes, improving password complexity and uniqueness requirements, network segmentation, Role Based Access Controls (RBAC), and improved security awareness training can help reduce perimeter breaches and dwell times.

https://www.darkreading.com/threat-intelligence/tactics-tie-ransom-cartel-group-to-defunct-revil-ransomware