Cyble-Redeemer-Ransomware

Redeemer Ransomware back Action

Redeemer 2.0 being distributed via Affiliate Program

Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.

Figure 1 – Post Made by TA on a Cybercrime Forum

In June 2021, the developer behind Redeemer released the ransomware builder on an underground forum.

As specified by the developer, the ransomware is free to use. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero).

Earlier this month, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features.

Some of the new features of ransomware mentioned by the developer are:

  • New affiliate toolkit with GUI (no dependencies)
  • New decrypter with GUI (no dependencies)
  • Modified ransom message
  • Added the option of using XMPP Chat/Tox Chat/up to two emails for communication
  • Added support for Windows 11
  • Prevented the damaging of Windows Operating Systems in certain cases
  • Added amount and campaign ID to the Redeemer executable and affiliate decryption process so the affiliate can see the requested amount/campaign ID
  • Now all encrypted files have a new icon making it clear that they were encrypted
  • Lots of small fixes

The available Redeemer package includes the build.dat, decrypter, and the affiliate toolkit, as shown below.

Figure 2 – Files inside Redeemer Package

Ransomware Builder: Redeemer

The Redeemer affiliate toolkit’s “build” option allows TAs to generate a private build key for encryption and specify email addresses for further communication.

While building the ransomware binary, the TAs can also mention the campaign ID, the ransom amount (in Monero), etc.

The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system.

The below figure shows the options to build the ransomware executable.

Figure 3 – Redeemer ransomware  builder

To decrypt the victim’s encrypted files, the Redeemer tool will generate the affiliate key by using Redeemer public key sent by the victim and the private build key generated earlier while compiling the ransomware binary, as shown below.

Figure 4 – Redeemer Affiliate Key Generation

As per the developer’s instructions, after generating the Redeemer affiliate key, the TA/Affiliate can contact the Developer via Dread Forums or Tox chat to receive the Redeemer Master Key by paying the 20% of the ransom amount collected from victims.

Victims can decrypt their encrypted files after paying the ransom amount by using the  Decrypter.exe from the package and the Redeemer Master Key from the developer.

The figure below shows the Redeemer ransomware process chain executed with administrator privileges.

Figure 5 – Process Chain

Technical details

The sample hash (SHA256), 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776

generated using Redeemer builder was taken for this analysis.

Based on static analysis, we found that the ransomware is a console-based x32 bit executable written in C/C++, as shown below.

Figure 6 – Static File Details

Upon execution, the ransomware initially creates a mutex named “RedeemerMutex” to ensure that only one instance of malware is running on the victim’s system.

After that, the malware creates a folder, copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe, etc., and executes itself as a new process by using the ShellExecuteW() API function.

Figure 7 shows the file and folder names used by the ransomware. The ransomware can use any of these names to copy itself into the victim’s machine.

Figure 7 – Self-copy file names

The newly executed Redeemer process launches the Windows Event Utility commands listed below to clear the event logs before the encryption process to ensure no malware traces are left behind.

  • C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
  • C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
  • C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
  • C:\Windows\system32\cmd.exe /c wevtutil clear-log System

Additionally, the ransomware deletes the shadow copies, backup catalog, and system state backups by using the following commands:

  • C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
  • C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  • C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet

Then, the ransomware adds ransom notes in the registry key value “LegalNoticeCaption” and “LegalNoticeText” under the Winlogon registry key to warn the victim of the ransomware infection during the system restart, as shown below.

Figure 8 – Winlogon Ransom Message

Before encrypting the files, the ransomware kills a list of processes if they are actively running on the victim’s machine by using the command “cmd.exe /c taskkill /F /IM “executable name” >nul.”

The below figure shows the list of process names targeted by the ransomware.

Figure 9 – List of Processes to Terminate

Additionally, the ransomware stops the list of actively running services in the system using the command “cmd.exe /c net stop “service name”  /y >nul.”

The below figure shows the list of services targeted by the ransomware by service name.

Figure 10 – List of Services to Stop

After stopping these services, the ransomware drops a file named “Redeemer.sys” (which is a PNG file) in the %programdata% location.

The ransomware then creates a DefaultIcon subkey for the redeemer extension and points it to the “Redeemer.sys” file that was dropped earlier. This operation changes the icons of the encrypted files.

Additionally, it adds a registry entry for showing an alert when these encrypted files are opened. The below figure shows the registry entries added by the ransomware.

Figure 11 – Registry Modification of Default Icon

The figure below demonstrates the ransom note dropped by the malware with the name “Read Me.TXT,” instructing victims to pay the ransom in exchange for the decryption tool.

Figure 12 – Redeemer Ransomware Note

After dropping the ransom note, the ransomware searches files and directories for encryption by enumerating them using the FindFirstFileW() and FindNextFileW() API functions, as shown in Figure 13. The ransomware uses CRYPTOGAMS OpenSSL Library for encrypting these files.

Figure 13 – FindFirstFileW() and FindNextFileW() API Functions

The below table shows the directory names, file names, and file extensions excluded by Redeemer ransomware during its encryption process.

Directory NamesFile namesFile extensions
\Windows \system volume information \recovery \perflogs \programdata\microsoft \programdata\packages \programdata\softwaredistribution %ProgramW6432%Read Me.TXT bootTel.dat desktop.ini bootmgr BOOTNXT BOOTSECT.BAK.exe .dll .ini .lnk .url .redeem .sys

Finally, the ransomware encrypts the files on the victim’s machine and appends the “.redeem” extension with the file name. It then proceeds to delete the ransomware file from the system, leaving only the encrypted files and the ransom note on the victim’s machine.

The encrypted files with the Redeemer icon are shown below.

Figure 14 – Redeemer Encrypted Files

Upon visiting the Onion link mentioned in the ransom note, it opens the Redeemer TA’s page in Dread forums and asks victims to submit a CAPTCHA to view TAs’ contact details.

The below figure shows the CAPTCHA page.

Figure 15 – Redeemer CAPTCHA Page on Dread Forums

After entering the CAPTCHA, the victims are redirected to a page where they can see the TAs’ contact details, decryption fee payment information, Affiliate instructions, etc., as shown below.

Figure 16 – Redeemer Page on Dread Forums

Conclusion

Cyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without being subject to any regulation or oversight.

We have observed a similar rise in ransomware affiliate programs, where the ransomware developers are increasingly selling/leasing their ransomware to affiliates for a portion of any ransom amount collected.

We have encountered the Redeemer ransomware builder being distributed on one such underground cybercrime forum free of cost.

Cyble Research Labs will continue to monitor the Redeemer ransomware’s products and update our readers with any pertinent information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts And Cruciality of Redeemer 2.0 Ransomware

  • Loss of Valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204User Execution
DiscoveryT1012
T1082
T1083
Query Registry
System Information Discovery
File and Directory Discovery
Defense EvasionT1027
T1070
Obfuscated Files or Information
Indicator Removal on Host
ImpactT1486
T1489
T1490
Data Encrypted for Impact ​
Service Stop
Inhibit System Recovery
PersistenceT1547Boot or Logon AutoStart Execution

Indicator Of Compromise (IOCs)

IndicatorsIndicator
Type
Description
56a13812819c8426941c9bd8b63d3a9f
9aa9290d337d68136030fc8182f7d499951a207e
4368f30798a1caa0a7b30735111e143068678a0547dfd38c050926619869c73a
MD5
SHA1
Sha256
Affiliate Toolkit.exe
4b01f0d2de0b557cd13e42a36b78894f
b8a0d70e602684067b2dc5565a5f6a786fb298fa
bf8f74a05e4a10ab893c73bc95ed16c3b5c6ffe6e257c098b33c04c3a893acb9
MD5
SHA1
Sha256
Decrypter.exe
cd513de769a9c385b218306e7affc131
1a22bc573674186f234dd541b9fccaf938195b33
86bd9cdfdb425266c477544a5cf951fdc56733d46f1a7b44f8188168b5e2fb15
MD5
SHA1
Sha256
build.dat
cd4b9ae02fdddfdb555ee45591deca4f
e6f98d1666896c84279db4fb6af5c5e6d815bb75
1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776
MD5
SHA1
Sha256
Build.exe
Scroll to Top