Ransomware, Threat Management

Ransomware-as-a-service group Ransom Cartel may have ties to REvil

The JBS sign is seen at its headquarters.
The ransomware-as-a-service group Ransom Cartel has similarities to the REvil ransomware that struck Kaseya and JBS in 2021. (Photo by Chet Strange/Getty Images)

Unit 42 on Friday released a report on Ransom Cartel, a ransomware-as-a-service (RaaS) group that leverages double extortion attacks and has several similarities and technical overlaps with REvil ransomware.

REvil was best known for providing the Kaseya, JBS and HX5 hackers with the ability to launch attacks.

In a blog post, the Unit 42 researchers from Palo Alto Networks said the Ransom Cartel operators clearly have access to the original REvil ransomware source code. However, because they likely do not have the obfuscation engine used to encrypt strings and hide API calls, Unit 42 speculates that Ransom Cartel had a relationship with the REvil group at one point before starting its own operation.

While Ransom Cartel uses double extortion and some of the same TTPs, Unit 42 often observes during ransomware attacks, this type of ransomware uses less common tools — DonPAPI, for example — that the researchers haven’t observed in other ransomware attacks.

The researchers said Ransom Cartel typically gains initial access to an environment via compromised credentials, a very common way for ransomware operator to gain access. This includes access credentials for external remote services, remote desktop protocol, secure shell protocol, and virtual private networks. These credentials are widely available on the dark web and offer threat actors a reliable way to gain access to corporate networks.

Rise of Ransom Cartel coincides with REvil arrests

Ransom Cartel first surfaced in mid-December 2021, while REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia, said the researchers. Unit 42 has observed Ransom Cartel claiming to have breached organizations in the United States and France targeting the following industries: education, manufacturing, utilities and energy.

 "This new ransom group is using a long-known-of-but-hard-to-solve tactic of using IT tools against defenders,” said David Maynor, senior director of threat intelligence at Cybrary. Maynor said most organizations have some form of file analysis, and attackers’ malicious files can stick out and easily be removed.

“But using real IT tools gives the attackers a cover: the file is malicious and can cause confusion for security analysts, who hesitate to delete tools where such actions could cripple or break environments,” Maynor said.

Mike Parkin, senior technical engineer at Vulcan Cyber, added that advanced persistent threat groups are constantly evolving their tactics and tools to try and get around their target's defenses. Parkin said they also evolve as old groups fragment, or spawn new generations, and new groups enter an unfortunately lucrative industry, and that's not even counting the state and state-sponsored actors whose cybercriminal activities are a side effect of, or cover for, their larger agenda.

“Organizations need to at least establish baselines built around industry best practices,” Parkin said.  “Even with newly evolving threats, and crime-as-a-service dividing responsibilities between brokers, the basics will make the attacker's jobs harder. A solid ecosystem with robust edge protections, endpoint defenses, network segmentation, detection systems that can identify lateral movement and suspicious activity, with good user education and a solid risk management program, are all required. There are no magic bullets.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.