HQ/EMEAFind out how we can help your business
The new Ransom Cartel ransomware group has reportedly been linked with the REvil gang after researchers found similarities in the groups’ operation encryptors. After REvil’s shutdown in October 2021, researchers spotted a new operation called the ‘Ransom Cartel’ in December 2021, with several code similarities to the former group.
Experts state that since REvil’s malware source code was never released on dark web forums, new operations that emerge could be rebrands established by an original member of the ransomware gang.
The researchers found connections in TTPs of Ransom Cartel compared with REvil that could imply the two group’s association with one another.
According to security experts, the encryption scheme of Ransom Cartel group and REvil match, differing only in their storage locations. Both groups use Salsa20 and Curve25519 algorithms for file encryption, with rare differences in their encryption layout routine aside from their internal type structures.
However, researchers note that the authors of the new malware operation did not implement REvil’s obfuscation engine after its samples did not reveal signs of it.
In terms of TTPs, both groups apply double extortion tactics, huge ransom requests, and a data leak website that would force the victims to pay the ransom. The strong connections between the two groups also underline that other threat groups in the wild have been using REvil’s source code, which experts state is not brand-new news.
In April this year, the ‘BlogXX’ ransomware operation also displayed signs of using REvil’s encryptors, though its operators added some new changes and configuration options that overlap REvil’s codes. Additionally, the operation has used similar ransom notes in their attacks and called themselves ‘Sodinokibi,’ an alternative name of REvil as seen on their Tor payment pages.
The old Tor sites of REvil have also been revived after being dismantled, with visitors redirected to the BlogXX data leak site upon opening. Experts stressed that only the original REvil members would hold their old Tor sites’ private keys, indicating their connection with the BlogXX operation.
Even though no solid proofs demonstrate connections between Ransom Cartel or BlogXX operations with the REvil gang, security experts strongly believe that the original operators of the latter group handle the new operations being spotted in the wild.
