Threat Research

Cyble – Redeemer Ransomware Back Action

Securonix

Cyble Research Labs analyzes Redeemer 2.0, a ransomware variant distributed via an affiliate program that shares 20% of victims’ Monero ransom with affiliates and uses a builder to tailor campaigns. Redeemer 2.0 adds an affiliate toolkit, GUI-based decrypter, multiple communication channels (XMPP/Tox/email), Windows 11 support, and improved process chaining and concealment, with affiliates coordinating with the developer via Dread Forums or Tox chat to obtain the Master Key. #Redeemer #Cerebrate #Monero #DreadForums #Tox

Keypoints

  • Redeemer 2.0 is distributed through an affiliate program that requires affiliates to share 20% of the victim’s ransom in Monero.
  • The new version includes an affiliate toolkit with a GUI and a decrypter GUI, plus an updated ransom message.
  • It supports communication via XMPP/Tox Chat or up to two emails for coordination with the developer.
  • Redeemer 2.0 adds Windows 11 support and aims to prevent some damage to certain Windows systems.
  • The build process allows affiliates to generate a private build key and embed campaign IDs and ransom amounts in the binary.
  • Victims decrypt files using Decrypter.exe and the Redeemer Master Key obtained from the developer after paying the ransom.

MITRE Techniques

  • [T1068] Exploitation for Privilege Escalation – The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system. “The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system.”
  • [T1036] Masquerading – The ransomware copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe. “copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The malware uses Windows command shell commands, e.g., “cmd.exe /c wevtutil clear-log …”
  • [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – “to clear the event logs before the encryption process to ensure no malware traces are left behind.”
  • [T1490] Inhibit System Recovery – “delete the shadow copies, backup catalog, and system state backups”
  • [T1112] Modify Registry – “adds ransom notes in the registry key value ‘LegalNoticeCaption’ and ‘LegalNoticeText’ under the Winlogon registry key”
  • [T1489] Service Stop – “stops the list of actively running services in the system using the command ‘cmd.exe /c net stop “service name” /y >nul’.”
  • [T1082] System Information Discovery – “System Information Discovery” (discovery phase listed in the article)
  • [T1083] File and Directory Discovery – “File and Directory Discovery” (discovery phase listed in the article)
  • [T1486] Data Encrypted for Impact – “Data Encrypted for Impact” (impact stage in the article)
  • [T1112] Modify Registry – (additional reference to registry-based changes for ransom notes and icon changes)

Indicator Of Compromise

  • [Hashes] – Affiliate Toolkit.exe – 56a13812819c8426941c9bd8b63d3a9f, 9aa9290d337d68136030fc8182f7d499951a207e and 2 more hashes
  • [Hashes] – Decrypter.exe – 4b01f0d2de0b557cd13e42a36b78894f, b8a0d70e602684067b2dc5565a5f6a786fb298fa and 2 more hashes
  • [Hashes] – Build.exe – cd513de769a9c385b218306e7affc131, 1a22bc573674186f234dd541b9fccaf938195b33 and 2 more hashes
  • [Hash] – Redeemer sample – 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776
  • [Files] – Ransomware component filenames – Affiliate Toolkit.exe, Decrypter.exe, Build.dat, Build.exe

Read more: https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/?utm_content=215383953&utm_medium=social&utm_source=twitter&hss_channel=tw-1141929006603866117

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint