Hacker forums have been found to feature a new version of the Redeemer ransomware builder
Cyble researchers discovered that the Redeemer has been updated to include support for Windows 11, an overhauled graphical user interface for ransomware executable and decryptor building, and options to communicate through Tox Chat and XMPP. Redeemer 2.0 also features a new campaign ID tracking system that would guarantee a 20% cut to the builder's author.
The report also showed that launching the ransomware would prompt a mutex to prevent multiple running instances, while Windows APIs are being exploited to achieve execution with admin privileges. Windows commands are being leveraged by Redeem 2.0 to erase event logs, shadow copies, and backups, as well as terminate certain processes, before proceeding to file encryption. Redeem 2.0 then proceeds to custom Windows icon deployment for encrypted files, ransom note generation, and file and directory enumeration.
Redeem 2.0's author noted the possibility of going open-source, which may lead to new threats.