Redeemer 2.0 being distributed via Affiliate Program
Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.
In June 2021, the developer behind Redeemer released the ransomware builder on an underground forum.
As specified by the developer, the ransomware is free to use. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero).
Earlier this month, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features.
Some of the new features of ransomware mentioned by the developer are:
- New affiliate toolkit with GUI (no dependencies)
- New decrypter with GUI (no dependencies)
- Modified ransom message
- Added the option of using XMPP Chat/Tox Chat/up to two emails for communication
- Added support for Windows 11
- Prevented the damaging of Windows Operating Systems in certain cases
- Added amount and campaign ID to the Redeemer executable and affiliate decryption process so the affiliate can see the requested amount/campaign ID
- Now all encrypted files have a new icon making it clear that they were encrypted
- Lots of small fixes
The available Redeemer package includes the build.dat, decrypter, and the affiliate toolkit, as shown below.
Ransomware Builder: Redeemer
The Redeemer affiliate toolkit’s “build” option allows TAs to generate a private build key for encryption and specify email addresses for further communication.
While building the ransomware binary, the TAs can also mention the campaign ID, the ransom amount (in Monero), etc.
The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system.
The below figure shows the options to build the ransomware executable.
To decrypt the victim’s encrypted files, the Redeemer tool will generate the affiliate key by using Redeemer public key sent by the victim and the private build key generated earlier while compiling the ransomware binary, as shown below.
As per the developer’s instructions, after generating the Redeemer affiliate key, the TA/Affiliate can contact the Developer via Dread Forums or Tox chat to receive the Redeemer Master Key by paying the 20% of the ransom amount collected from victims.
Victims can decrypt their encrypted files after paying the ransom amount by using the Decrypter.exe from the package and the Redeemer Master Key from the developer.
The figure below shows the Redeemer ransomware process chain executed with administrator privileges.
Technical details
The sample hash (SHA256), 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776
generated using Redeemer builder was taken for this analysis.
Based on static analysis, we found that the ransomware is a console-based x32 bit executable written in C/C++, as shown below.
Upon execution, the ransomware initially creates a mutex named “RedeemerMutex” to ensure that only one instance of malware is running on the victim’s system.
After that, the malware creates a folder, copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe, etc., and executes itself as a new process by using the ShellExecuteW() API function.
Figure 7 shows the file and folder names used by the ransomware. The ransomware can use any of these names to copy itself into the victim’s machine.
The newly executed Redeemer process launches the Windows Event Utility commands listed below to clear the event logs before the encryption process to ensure no malware traces are left behind.
- C:Windowssystem32cmd.exe /c wevtutil clear-log Application
- C:Windowssystem32cmd.exe /c wevtutil clear-log Security
- C:Windowssystem32cmd.exe /c wevtutil clear-log Setup
- C:Windowssystem32cmd.exe /c wevtutil clear-log System
Additionally, the ransomware deletes the shadow copies, backup catalog, and system state backups by using the following commands:
- C:Windowssystem32cmd.exe /c vssadmin delete shadows /All /Quiet
- C:Windowssystem32cmd.exe /c wbadmin delete catalog -quiet
- C:Windowssystem32cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
Then, the ransomware adds ransom notes in the registry key value “LegalNoticeCaption” and “LegalNoticeText” under the Winlogon registry key to warn the victim of the ransomware infection during the system restart, as shown below.
Before encrypting the files, the ransomware kills a list of processes if they are actively running on the victim’s machine by using the command “cmd.exe /c taskkill /F /IM “executable name” >nul.”
The below figure shows the list of process names targeted by the ransomware.
Additionally, the ransomware stops the list of actively running services in the system using the command “cmd.exe /c net stop “service name” /y >nul.”
The below figure shows the list of services targeted by the ransomware by service name.
After stopping these services, the ransomware drops a file named “Redeemer.sys” (which is a PNG file) in the %programdata% location.
The ransomware then creates a DefaultIcon subkey for the redeemer extension and points it to the “Redeemer.sys” file that was dropped earlier. This operation changes the icons of the encrypted files.
Additionally, T1204
T1082
T1083
System Information Discovery
File and Directory Discovery
T1070
Indicator Removal on Host
T1489
T1490
Service Stop
Inhibit System Recovery
Indicator Of Compromise (IOCs)
Indicators | Indicator Type |
Description |
56a13812819c8426941c9bd8b63d3a9f 9aa9290d337d68136030fc8182f7d499951a207e 4368f30798a1caa0a7b30735111e143068678a0547dfd38c050926619869c73a |
MD5 SHA1 Sha256 |
Affiliate Toolkit.exe |
4b01f0d2de0b557cd13e42a36b78894f b8a0d70e602684067b2dc5565a5f6a786fb298fa bf8f74a05e4a10ab893c73bc95ed16c3b5c6ffe6e257c098b33c04c3a893acb9 |
MD5 SHA1 Sha256 |
Decrypter.exe |
cd513de769a9c385b218306e7affc131 1a22bc573674186f234dd541b9fccaf938195b33 86bd9cdfdb425266c477544a5cf951fdc56733d46f1a7b44f8188168b5e2fb15 |
MD5 SHA1 Sha256 |
build.dat |
cd4b9ae02fdddfdb555ee45591deca4f e6f98d1666896c84279db4fb6af5c5e6d815bb75 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776 |
MD5 SHA1 Sha256 |
Build.exe |