Ransom cartel: Possible connection with REvil by Amer Elsad and Daniel Bunce

welcome back well I want to re remind everyone that um we still have not been able to work out the speaker video so apologies to our new set of speakers uh but we want to welcome uh Amir elad and Daniel bunts who will be giving the talk called Ransom cartel possible connection with revil you can take over cool thank you can everyone see my screen we can okay perfect hi everyone um today we're GNA talk to you about Ransom cartel um little introduction my name is Amir alad I'm a senior threat researcher here at unit 42 I specialize in threat intelligent and adversary tracking and I'm joined today with my colleague Daniel let Daniel introduce

himself yep hello I'm a senior malware reverse engineer with unit 42 focusing mostly on reverse engineering malware samples that we receive via instant response cases cool so before we talk about Ransom cartel um I want to give a quick recap about revil disappear in history as it relates to Ransom cartel um revil was getting a lot of attention from the media and law enforcement um especially after some high-profile attacks in the US um the FBI started going after the gang and they even offered um $10 million for information leading to the arrest of the maral members eventually some member got arrested and infrastructure was seized and the leadership gang of the gang disappeared and that led to a mistrust

between the members of the group and eventually reol disappeared in October of last year two months later Ransom cartel appeared and in April of this year we we noticed that reval old blog started to became active again but then they were redirecting victims to a new leak site what was interesting about this new leak site is that well at the time of the redirect it was unclear if revil was rebranding the ransomware or this is a new operation um we noticed that the old victim that appeared on original reval blog moved to this new leag site and the operator of the blog did mention their connection with REO and even said that we offer the same yet

improved ransomware they also included a section recruting section the one that you see in russan here uh listing the conditions and then they're looking for Affiliates to join their RS some of the condition that they listed was that they're looking to for affiliate to deposit some um part of uh money to um to be able to join this kind of to prevent law enforcement and threat researcher from joining and getting Intel on them so talking about Ransom cartel um the first victim that we observed from Ransom cartel was in January of this year but we have seen also evidence that they um might have been active at least since December of last year uh they impact both windows

and Linux and we uh seen them using using double extortion but with a new approach so they don't have League site where they uh shame victim publicly and and upload data but they do threaten to send the stoling data to competitors and to the media as far as the ransom demands it varies from victim to victim we have seen demands as low as $20,000 and up to $500,000 and what's interesting is that we have seen them increasing their um initial demands after the review the data so if they initially ask for 500,000 and they sell the data and they find that it was valuable they will come back and say we want 1 million um we

also seen them express interest in targeting organization that has uh annual revenue greater than $5 million so from unitary to Consulting cases uh we have seen them gaining initial access to victim environment using compromise credentials these are often VPN or rdb credentials um once to system we have seen them using open source tools to steal uh saf credentials and steal credentials from memory uh we have seen uh two tools being used mimik cats and lasagni um one tool that we have seen them using called da papy we haven't seen this tool being used in any other ransomware attack um what this tool does is that it steals Windows data protection API credentials so it search

for um searching machine for certain files that know to be babby blobs these are Wi-Fi Keys rdb passwords and other credentials and um then they use this tool to um Harvest credentials uh we have also seen them uh exploiting U print nightmare vulnerability and they were using a cracked version of remote access tool legitimate remote access tool called bdq inventory uh they use that to execute commands on remote hosts as far as exfiltration we have seen them using um AR clone and they uploaded uh the stolen data to Mega sync and pcloud so I know I went over this quickly but if you would like a full list of ttps that we've observed from Ransom cartel and other ioc's you can

find this on our website unit 42 under the adoms the atom stands for actionable threat object ad mitigation whenever we research a threat we will publish an atom that will include a list of TTP that we observed as well as what industry they have targeted region and other information as ioc's so as far as how ransomware service operate and focusing on um Ransom cartel they operate just like creel dead so there is a developer who did develop the actual ransomware and the offer technical support and they also have the standup infrastructure including their communication site hosting and then there's the Affiliates so the Affiliates are very are random people random cyber criminal they don't have to be uh super technical or Savvy

and and then there's the victims each affiliate will Target one or more victim using whatever techniques you want or can use and then when the payment is made it's cut between the affiliate and the developer usually the affiliate would get a larger cut and the devel bu will get a smaller cut in in the case of Ransom cartel we have seen them uh do the payment 8020 so if if the victim pays $1 million the affiliate will get 80% the dev will get 20% of that and then there's the initial access broker so like I mentioned the Affiliates are not super technical so they take shortcut to breach organization they rely on someone else which we call

Initial access broker and these are people who are more technical they know how to exploit vulnerabilities you know how to brute force and then once they have access to our organization they sell that to other threat actors uh and we have seen them work a lot with ransomware especially with Ransom cartel we have also seen crypto mixer so crypto mixer is essentially a money laundering whenever the payment is made they want to make sure that it's difficult to trace and it's useful so this is another service that we also um part of the gang so talking about initial access broker um this is how rent of cartel gained access to victims is using is working with initial access broker so

initial access broker this is how they advertise their credentials on the dark WB we have seen uh the credential that being sold mostly being RDP vbn and as a such often the price is very sheap and they work very closely with uh ransomware

operators so Ransom cartel when when they compromise a victim they will deploy a ransom note within the ransom node they will provide an onion site this is the communication site and then um they require authoriz authentication to the website um they provide an ID and a key in the in the ransom note and then once this is uh done you the victim will see this page so this page will have uh this the the amount that they have the ransom demand it will be an US dollar and Bitcoin and they also will provide a discount amount that they call it discount amount if the victim pays within a certain amount of time they also provide their Bitcoin

wallet and they also give some warning on the top uh we have your personal data we have encrypted your data don't try to uh reach to another third party and they also say it's just a business where we we um we don't have anything against you and um and then there's a shat feature and a trial decrypt where they prove to the victim that we can um decrypt your

data so for the ransom now this is another indication that they have been been developing The Ransom Ransom operations um so the one on the left this is a ransom note that we have observed around January of this year and the one on the on the right this is a recent one that they have changed so as you can see here they have completely uh changed the language and the structure of it um in the new Ransom note they addited more reassurance language for victim that um once payment is made we'll work with you and we'll hold you uh protect your network and restore your files we even tell you uh how we got in

and help you um kind of remediate and show you vulnerabilities and stuff like that uh what's interesting about the first Ransom note the one on the left here is Ransom cartel and the one on r as reevil um they both very they both are identical uh this is by itself is not an indication that there there's a connection we have seen it a lot that somewhere and somewhere operation operator would would use similar ROM note but this is just something worth mentioning I will hand it over to Daniel now to talk about um the code conversion and the overlap that we observe Daniel sure uh so yeah sticking with the theme of similarities between revil and Ransom cartel the codebase

provided a pretty unique perspective and allowed us to confirm that the samples of Ransom cartel ransomware weren't just patched binaries as seen in the LV ransomware family but instead a slightly modified version of the revil ransomware encryptor so each reval binary contains an encrypted configuration encrypted with the rc4 algorithm and usually stored within a custom binary section at least within the latest samples of revil that decrypted configuration is structured with a Json format with some pretty unique key names such as Wht wfld and SVC so these Keys contain conin a range of information used by the ransomware including a b 64 encoded Ransom note public keys for encryption as well as values that inform the sample

whether to communicate out to a C2 server or simply to remain local on the machine Ransom cartel on the other hand uses an almost identical method of configuration encryption using rc4 for the main algorithm but also encoding it with base 64 as well with this addition of Bas 64 it tells us that there's an even smaller chance the file is patched as it would require actually inserting the Bas 64 decoding functions into the raw binary which will definitely lead to numerous problems during execution once the ransom cartel configuration is decrypted the config maintains the same Json formatting albeit with less values so the domains and flag to indicate C2 communication is no longer present but

it does contain a list of processes and services to to terminate The Ransom note information and so on it also contains the ransomware extension so the extension to add to the end of the encrypted files now both samples we looked at used the exact used a different extension each randomly generated so it wasn't really much to go off based on the extension alone outside of the configuration we put a main focus on identifying overlaps in the assembly code itself now Revel has has historically used a pretty complex method of encryption utilizing several elliptical curve cryptographic keys to generate values described as shared Secrets which eventually find their way into a core file encryption routine utilizing the salsa 20 symmetric

encryption algorithm as well as the encryption setup being quite unique the data appended to each file is far from common at around 232 bytes this data blob contains the shared secret information a unique ECC public key specific to the file the salsa 20 initialization Vector value and a few more values that provide the decryptor with enough information to actually decrypt the file now typically within ransomware the header or footer consists of the encrypted file key but in with with with the case of Revel they went pretty Overkill in terms of development and so for a threat actor to be able to copy the exact functionality bite forbite it would be pretty timec consuming and they likely be better off

using the source of another leaked ransomware family such as babuk so comparing the footer and key setup functionality to The Ransom cartel samples there is an enormous overlap with the code being almost identical aside from the same compiler from some compiler optimizations the algorithms in use the internal structures and hard-coded values are a one-o-one match across both samples of Ransom cartel and the reval encrypto so as I mentioned before while there are such big overlaps in the code and the fact that the Revel source code has not been leaked key features inside the binary indicate that it's not merely a patched version such as the LV ransomware family so the first of these features is

the minimal obfuscation found in the ransom cartel samples so revil used some pretty heavy obfuscation encrypting strings and using API hashing to load API dynamically this was not present within the ransom cartel's samples obviously the modified configuration encryption is a big one Revel only used a layer of rc4 without base 64 encoding so that had been inserted into the source code likely before compilation additionally Revel likes to sort core information in the registry as well shared as uh such as shared secrets and public keypads within the rans cartel these registry keys have been modified so while they could be patched as there is no encryption present it also indicates that you know it's likely not being patched and finally the

reduced functionality within Ransom cartel as I mentioned before the ransom cartel samples had fewer configuration values including the lack of any communication references such as communicating out to a C2 server this is seen in the binary as well with Revel containing some HTTP functionality while Ransom cartel

doesn't again similarly with the OB fiscated import table on the left we can see the typical import table for a revel ransomware sample and on the right we can see the ransom cartel import table which lists plenty of imports uh this isn't the entire table but it gives us a lot of information about the file such as calls to read file we have registry related fi API open the service manager and several other API that indicate it's not being obfuscated in any way at all the same thing goes for the strings this is the ransom cartel sample we have a clear indication that not not only salsa 20 is being used we have a cartel

string hardcoded into the ransomware itself as well as some batch scripts and a few other indicators that we're dealing with ransomware which if you were looking at any sort of Revel sample you wouldn't be able to tell unless you went in and tried to reverse engineer the string decryption routines the overlap that we've discovered is not limited to just Windows binaries as with most ransomware threat actors a Linux encryptor is a must have and similarly with the Linux encryptors all of the strings of the ransom cartel encryptors are all visible and there's no obfuscation at all in terms of API hashing and so on so it's clear that they haven't simply gone in and patched a revel

sample so there are some possible explanations as to what's going on here so it's possible that the Revel source code was sold to Affiliates or shared across to a number a certain number of individuals when the original actors stopped operations now with the lack of obfuscation it appears that the obfuscation engine used by Revel wasn't passed over otherwise that would likely have been Incorporated in the compilation process so far based on our research it appears to be only in use by a single group there are two public samples and the main differences are the public key in use which is pretty standard normally it's generated per campaign to avoid any issues if one private key gets leaked and that way you

can only decrypt maybe one or two systems compared to the entire you know attack chain additionally it doesn't appear to be used by a large number of Affiliates as of yet based on the lack of samples publicly available as well as the fact that this this family has been around for maybe a few months by now and we would have definitely seen a lot more samples if it was being used by a large number of Affiliates it may be one or two Affiliates but you know nothing major on the original scale of

Revel and yeah thank you for listening um I guess at this point time will tell if operations of the ransomware The Ransom cartel group actually pick up and if they choose to modify the code base even further to add any sort of anti-analysis techniques obfuscation methods and additional functionality um but at that point that's pretty much it for my

end oh thanks Daniel um that's that's it for us today if there's any questions we'll um be sure to answer that in Discord and um thank you everyone thanks very much for that great talk we appreciated it and um I hope people will bounce over to Discord and talk about it more with you I think it's time we all have um a nice 10 minutes we can take a break until our three o'clock Central Time talk um thank you to our speakers and we'll see you after the

break