Ransom Cartel and a possible connection to REvil.
N2K logoOct 17, 2022

Meet the new gang (pretty much) the same as the old gang.

Ransom Cartel and a possible connection to REvil.

Palo Alto Networks’ Unit 42 has published a report on the Ransom Cartel ransomware-as-a-service offering, finding that it has possible ties to the now-defunct REvil ransomware gang. Unit 42 summarizes what’s known of the gang’s provenance so far:

“At this time, we believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments (see our Ransom Cartel and REvil Code Comparison for more details). This suggests there was a relationship between the groups at some point, though it may not have been recent.”

Out with REvil, in with Ransomware Cartel.

The group surfaced in December, 2021, and has been active against victims in Western Europe and North America since at least January of 2022. “Unit 42 has also observed Ransom Cartel group breaching organizations, with the first known victims observed by us around January 2022 in the U.S. and France. Ransom Cartel has attacked organizations in the following industries: education, manufacturing, and utilities and energy. Unit 42 incident responders have also assisted clients with response efforts in several Ransom Cartel cases.” 

REvil went into occultation shortly before Ransom Cartel activity was observed. The BBC reported on January 14th, 2022, that Russian authorities had arrested fourteen members of REvil. In an unusual gesture in the direction of international responsibility and cooperation against organized crime, Russia’s FSB said it had acted on information provided by US law enforcement agencies. (Russia’s cooperation stopped short of extraditing anyone to the US.) The US at the time expressed polite, cautious optimism (see this Washington Post account) that perhaps Russia would begin cracking down on some of the cyber gangs it had long permitted to operate relatively unmolested. Around the time of the arrests, the New York Times published a long account of REvil’s history of operating from Russia against targets in the West.

“When Ransom Cartel first appeared,” Unit 42 writes, “it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code.” Whatever the case may be, the group is up and running today.

Double extortion.

Ransom Cartel engages in both data denial and data theft. “Like many other ransomware gangs, Ransom Cartel leverages double extortion techniques. Unit 42 has observed the group taking an aggressive approach, threatening not only to publish stolen data to their leak site, but also to send it to the victim’s partners, competitors and the news in an effort to inflict reputational damage.”