Cyble – Redeemer Ransomware Back Action

Redeemer 2.0 being distributed via Affiliate Program

Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.

In June 2021, the developer behind Redeemer released the ransomware builder on an underground forum.

As specified by the developer, the ransomware is free to use. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero).

Earlier this month, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features.

Some of the new features of ransomware mentioned by the developer are:

• New affiliate toolkit with GUI (no dependencies)
• New decrypter with GUI (no dependencies)
• Modified ransom message
• Added the option of using XMPP Chat/Tox Chat/up to two emails for communication
• Added support for Windows 11
• Prevented the damaging of Windows Operating Systems in certain cases
• Added amount and campaign ID to the Redeemer executable and affiliate decryption process so the affiliate can see the requested amount/campaign ID
• Now all encrypted files have a new icon making it clear that they were encrypted
• Lots of small fixes

The available Redeemer package includes the build.dat, decrypter, and the affiliate toolkit, as shown below.

Ransomware Builder: Redeemer

The Redeemer affiliate toolkit’s “build” option allows TAs to generate a private build key for encryption and specify email addresses for further communication.

While building the ransomware binary, the TAs can also mention the campaign ID, the ransom amount (in Monero), etc.

The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system.

The below figure shows the options to build the ransomware executable.

To decrypt the victim’s encrypted files, the Redeemer tool will generate the affiliate key by using Redeemer public key sent by the victim and the private build key generated earlier while compiling the ransomware binary, as shown below.

As per the developer’s instructions, after generating the Redeemer affiliate key, the TA/Affiliate can contact the Developer via Dread Forums or Tox chat to receive the Redeemer Master Key by paying the 20% of the ransom amount collected from victims.

Victims can decrypt their encrypted files after paying the ransom amount by using the  Decrypter.exe from the package and the Redeemer Master Key from the developer.

The figure below shows the Redeemer ransomware process chain executed with administrator privileges.

Technical details

The sample hash (SHA256), 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776

generated using Redeemer builder was taken for this analysis.

Based on static analysis, we found that the ransomware is a console-based x32 bit executable written in C/C++, as shown below.

Upon execution, the ransomware initially creates a mutex named “RedeemerMutex” to ensure that only one instance of malware is running on the victim’s system.

After that, the malware creates a folder, copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe, etc., and executes itself as a new process by using the ShellExecuteW() API function.

Figure 7 shows the file and folder names used by the ransomware. The ransomware can use any of these names to copy itself into the victim’s machine.

The newly executed Redeemer process launches the Windows Event Utility commands listed below to clear the event logs before the encryption process to ensure no malware traces are left behind.

• C:Windowssystem32cmd.exe /c wevtutil clear-log Application
• C:Windowssystem32cmd.exe /c wevtutil clear-log Security
• C:Windowssystem32cmd.exe /c wevtutil clear-log Setup
• C:Windowssystem32cmd.exe /c wevtutil clear-log System

Additionally, the ransomware deletes the shadow copies, backup catalog, and system state backups by using the following commands:

• C:Windowssystem32cmd.exe /c vssadmin delete shadows /All /Quiet
• C:Windowssystem32cmd.exe /c wbadmin delete catalog -quiet
• C:Windowssystem32cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet

Then, the ransomware adds ransom notes in the registry key value “LegalNoticeCaption” and “LegalNoticeText” under the Winlogon registry key to warn the victim of the ransomware infection during the system restart, as shown below.

Before encrypting the files, the ransomware kills a list of processes if they are actively running on the victim’s machine by using the command “cmd.exe /c taskkill /F /IM “executable name” >nul.”

The below figure shows the list of process names targeted by the ransomware.

Additionally, the ransomware stops the list of actively running services in the system using the command “cmd.exe /c net stop “service name”  /y >nul.”

The below figure shows the list of services targeted by the ransomware by service name.

After stopping these services, the ransomware drops a file named “Redeemer.sys” (which is a PNG file) in the %programdata% location.

The ransomware then creates a DefaultIcon subkey for the redeemer extension and points it to the “Redeemer.sys” file that was dropped earlier. This operation changes the icons of the encrypted files.

Additionally, T1204 User Execution Discovery T1012
T1082
T1083 Query Registry
System Information Discovery
File and Directory Discovery Defense Evasion T1027
T1070 Obfuscated Files or Information
Indicator Removal on Host Impact T1486
T1489
T1490 Data Encrypted for Impact ​
Service Stop
Inhibit System Recovery Persistence T1547 Boot or Logon AutoStart Execution

Indicator Of Compromise (IOCs)

Related

Source: https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/?utm_content=215383953&utm_medium=social&utm_source=twitter&hss_channel=tw-1141929006603866117