Cybersecurity researchers recently linked a relatively new ransomware operation called Ransom Cartel with the well-known threat group REvil, after discovering code similarities in both attacker’s encryption solutions.

The REvil ransomware gang reached the height of its success back in 2021, when it successfully compromised thousands of organisations in a massive supply-chain attack. The major incident saw the threat group demand a $50 million payment from the computer manufacturer Acer and apply an extortion attack on Apple utilising stolen blueprints of unreleased devices.

Following considerable pressure from international law enforcement agencies, the ransomware gang closed for business in October 2021 but, in January 2022, authorities in Russia announced money seizures, arrests and criminal charges levelled at eight of the threat group’s members.

About 12 months later, a brand-new ransomware operation known as ‘Ransom Cartel’ was launched using ransomware that shared multiple code similarities to the malicious software deployed by REvil in its past activities.

A potential ransomware gang rebrand

A recent report issued by threat analysts at Unit 42 of the Palo Alto Network has taken further steps to assess a possible link between the two cybercriminal operations. The researchers found the two threat groups shared similarities in procedures, tactics, and techniques but also common ground when it came to the code of the malware they use

As the source code used in REvil’s encryption malware has never been leaked through hacking forums, it is understood that any new initiative using code which is similar is either a new project launched by one of the original gang’s core members or simply a ransomware gang rebrand.

When analysing Ransom Cartel’s encryptors the research team found similarities within the configuration structure embedded in the malicious software, while the storage locations remained different.

The malware samples analysed by Unit 42 indicate that Ransom Cartel appears to be missing certain configuration values. This suggest that the malware authors are either attempting to make the solution leaner or that they have created the malicious software based on an earlier edition of the REvil ransomware.

Ransom Cartel’s modus operandi

As well as the code similarities the procedures, tactics and techniques used by Ransom Cartel also bear a striking resemblance to the operating methods of the REvil gang. For example, Ransom Cartel also as for large ransomware demands and employ double-extortion attacks and a dedicated data leak site to apply pressure to the victims that they target.

In the past, ransomware gangs would infiltrate an enterprise’s network, locking the firm out of its own resources. For the return of access to its information, the company would be asked to pay a ransom payment.

Firms became wise and began keeping regular backups that allowed them to restore their systems without having to make a payment. In turn, ransomware operators developed the double-extortion technique. Instead of simply encrypting files, attackers also stole sensitive data during the breach. If the company refused to pay the requested ransom, the gam would threaten to release the data online via a leak site.