Ransom Cartel Version of REvil Ransomware Identified

It appears a modification of REvil ransomware is wreaking havoc in the form of Ransomware Cartel.  Despite the attack’s moniker, digital security specialists believe the ransomware stems from a group as opposed to a cartel.
 

What is Ransom Cartel all About?

Cyber security professionals believe REvil, also known as Sodinokibi, has reincarnated in the form of the aforementioned Ransom Cartel, yet details about the new attack are limited.  The new ransomware attack shares plenty of characteristics with REvil.  However, digital security experts are unsure if the new ransomware group is an alteration of REvil, if the REvil’s tools were purchased for reuse, or if the new ransomware simply copies how Ransom Cartel works.
 

When Did the New Attack Arise?

MalwareHunterTeam’s anti-malware research specialists indicate the criminals behind Ransom Cartel launched the attack in the initial weeks of December.  Unfortunately, cyber security specialists investigating the attack have not recovered any of the crypto-locking malware.  Nor is it clear as to how many organizations and individuals have been victimized by the new form of ransomware.  
 

How is Ransom Cartel Similar to REvil?

Ransom Cartel and REvil rely on a similar template to create ransom notes.  The two forms of ransomware also have similar technical components.  As an example, Ransom Cartel uses malware for crypto locking to encrypt files.  When those files are viewed through a hex editor, they have footers that resemble the files that are encrypted by REvil.  The similarities are nearly identical all the way to the positioning of the checksum to spot file errors.  

It appears the hackers behind Ransom Cartel invested a significant amount of time analyzing REvil to generate similar ransomware.  It is also possible Ransom Cartel is REvil ransomware made from another source or a portion of it was patched over and re-purposed.  Digital security specialists cannot definitively state that REvil is a component of the Ransom Cartel.  

There is a good chance the primary members of the REvil ransomware group are still wreaking havoc under a different moniker.  Those in the cyber security community are unsure as to what happened to REvil’s top members.  The group’s most influential members no longer contribute to the cybercrime message boards they contributed to in the past.

Cyber security reverse engineers who contribute to the Exploit cybercrime message board where REvil’s brass once recruited new hackers published information pertaining to the code used by REvil in 2021.  The report determined backdoors were within REvil samples up through mid-summer of 2021 that empowered operators to eliminate affiliates from agreements.  The findings led the cyber security community to believe REvil’s members scattered into different factions.

Should Businesses be Worried About Ransom Cartel Attacks?

The takeaway from this news story is REvil is alive and well, albeit in a different form.  The hacking collective is still encrypting databases, documents, photos, and other files.  Those who refuse to pay for the hackers' specialized decryptor software will lose access to valuable files.  

Similar to REvil's original attacks, Ransom Cartel provides little more than a single day for victims to pony up the ransom money, typically in the form of XMR cryptocurrency, to regain access to their files.  If you haven’t taken steps to prevent a data breach, now is the time to do so.