What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis

Redeemer Ransomware
  • Author: Mehardeep Singh Sawhney
  • Editor: Benila Susan Jacob

Research indicates that a Ransomware attack occurs every 11 seconds roughly translating to an approximate 3 million attacks throughout the year. Ransomware attacks are no longer reserved events. Companies are at a constant threat to their revenue, data, brand, image, and subsequent shutdown of the business.

Redeemer ransomware was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released. This article contains the technical analysis of the Redeemer ransomware and its various features.

Evolution of the Redeemer Ransomware 2.0

The threat actor, Cerebrate operating on a cybercrime forum named Dread has been actively promoting the Redeemer ransomware. They have recently started operating on the Breached forum and have released its latest version (version 2.0) on the same.

Redeemer has gone through four version changes since September 2021. The latest version includes improved graphical features such as a GUI builder interface, an icon change for encrypted files, a detailed instructions list, etc. The threat actor also claims to have added support for Windows 11 along with few cryptographic changes to the latest version. The image below describes the features added with each version release of the Redeemer ransomware.

Modus Operandi

Using the builder executable, the attacker creates a ransomware executable.
The attacker specifies an RSA private key file, email address for contact, XMR amount and the option to disable ‘melt’, if a crypter is being used to encrypt the ransomware. Enabling ‘melt’ will make the ransomware executable delete itself and relocate to a random directory on the system, and execute from there in a hidden state.
Using the Generate Key Pair option, an RSA private key is generated which is sent to the Malware author (Cerebrate) along with the encrypted public key generated by the ransomware executable. The public key is received from the victim.
The Malware author (Cerebrate) will share the master key only upon having received 20% of the collected ransom amount. Thus, the victim can only decrypt their files once 20% of the ransom payment has been made by the affiliate attacker.

Related Read Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group

Details of the Ransomware

  • This Ransomware is written in C++ and comes with a builder and decrypter executable.
  • It uses the following encryption algorithms:
    • AES256 is used to encrypt the files on the victim’s computer
    • RSA is used to encrypt the key
  • The ransomware clones itself with the name of a system executable file (eg. conhost.exe), and creates a hidden folder for itself in the Windows directory.
  • It terminates all the running processes and executables which may pose a threat to the encryption routine.
  • It deletes all shadow copies of files and clears all event as well as application logs using wevtutil, vssadmin, and wbadmin.
  • It uses multithreading in order to enumerate the filesystem and encrypt files. It creates 35 different threads that point to the same encryption routine.
  • It also modifies the Winlogon registry value and sets it to display the ransom note. Thus, when a user logs into the machine, the ransom note is displayed.

Technical Analysis

Ransomware Signature

The signature of this executable shows us that it is written in C++. When conducting the string analysis, multiple Base64 encoded strings were observed, some of which get decoded to the public key used for encryption, and powershell commands. Upon decoding one of these strings, the following translation was obtained: ‘Redeemer Ransomware – Your Data Is Encrypted’.

Signature of the executable file indicating that it is written in C++
Signature of the executable file indicating that it is written in C++
An encoded ransomware string
An encoded ransomware string

Stage I – Pre-Encryption Operations

Mutex Creation

Upon execution, Redeemer first hides its console window by using a call to the ShowWindow Windows API. It then creates a Mutex, called the RedeemerMutex, in order to make sure that multiple instances of the ransomware are not running on the same system.

Code for hiding the process window and creation of the Mutex
Code for hiding the process window and creation of the Mutex

String Encoding

An RSA public key, ransom amount, and contact email ID are then loaded as Base64 values into memory and decoded for further usage. This Ransomware heavily uses Base64 for string encoding purposes.

Code for loading and decoding Base64 values, and storing them for later use
Code for loading and decoding Base64 values, and storing them for later use

Stage II – Preparing for Encryption

The second stage of the ransomware is dictated by the transfer of control to a specific logic section that is controlled by the argument count value. This is done by moving itself under a different name to a world writable directory as shown in the image below.

The list of random executable and directory names
The list of random executable and directory names

A new instance is spawned that does the encryption. The name of the newly spawned process will be randomly chosen from the list shown in the image above. The entire process breakdown is covered in the following section:

  • The ransomware randomly chooses the directory and executable names by using the logic shown below. It also sets the directory attributes to hidden using the SetFileAttributes Windows API. In this case, the directory selected is C:\Windows\SQL and the executable name is taskmgr.exe.
Logic for determining the file and folder name combination
Logic for determining the file and folder name combination
  • Now, the ransomware executes its copy using the ShellExecuteW Windows API, while taking the path to the old exe as an argument. This is done in order to delete its old copy and continue running as an imposter system executable, which will commence the encryption.
Executing the new executable while accepting the old one as an argument
Executing the new executable while accepting the old one as an argument
  • The routine for directory enumeration and encryption will begin only after the above argument condition is met. A check is implemented for the same by counting the number of arguments passed to the executable.
Code for checking the arguments and deleting the original executable if criteria is met
Code for checking the arguments and deleting the original executable if criteria is met
  • The new executable then runs the Windows Event Utility (wevtutil) commands using CMD in order to clear important event logs. The vssadmin and wbadmin commands are used to delete all shadow copies, backup catalogs, and system-state backups in order to make file recovery impossible.
Commands executed to clear event logs and delete shadow copies
Commands executed to clear event logs and delete shadow copies
  • The ransomware terminates executables and services (including security applications) which might hinder the encryption operations. The code for this is hardcoded in the program as Base64 strings which are decoded using the taskkill and net stop commands. (Refer to the List of Executables & Services Terminated by the Ransomware)
Commands used to terminate executable and services which might hinder encryption
Commands used to terminate executable and services which might hinder encryption
  • The ransomware also edits the Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</strong> registry key, modifies the  LegalNoticeCaption  and  LegalNoticeText  values, and sets them to the ransom note. Thus, when a user logs in, the ransom note is displayed.
  • The ransomware also creates an exception list so that it does not encrypt the following:
    • System and OS directories
    • Redeemer ransomware (i.e itself)
    • Ransom note
    • Already encrypted files
Code highlighting the skipped extensions and files
Code highlighting the skipped extensions and files

Related YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters

Encryption

Redeemer is capable of enumerating and encrypting both local files and network-attached drives.

The encryption loop
The ransomware encryption loop

It enumerates local drives using the following GetLogicalDrives Windows APIs:

  • For the local files, it uses SHGetFolderPath
  • For network assets, it uses WNetEnumResource.

It executes these operations using a loop with FindFirstFile and FindNextFile.

Enumeration of local and network files and folders
Enumeration of local and network files and folders

It should be noted that this ransomware uses multithreading for encryption, which makes it efficient in terms of CPU usage. It creates 35 different threads, each pointing to the encryption routine.

Screenshot of the threads created by Redeemer
Screenshot of the threads created by Redeemer

It initializes the ransom note in Base64 and writes the decoded value to a file named Read Me.TXT. The encrypted files are saved with the .redeem extension.

Screenshot of encrypted file names
Screenshot of encrypted file names

Ransom Collection

  • When an encrypted file is clicked by the user/victim, the following message is displayed.
Screenshot of the message displayed upon opening an encrypted file
Screenshot of the message displayed upon opening an encrypted file
  • The ReadMe.TXT file containing the ransom note is displayed in the image below.
Screenshot of the ransom note (Read Me.TXT)
Screenshot of the ransom note (Read Me.TXT)
  • To decrypt their files, the victims are asked to pay the demanded ransom amount in Monero.
  • Once the ransom payment is verified, the victim receives a decryption tool and a key which allows them to restore their files.

Read Also Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group

List of Executables & Services Terminated by the Ransomware

Executables to be terminated
1cv4.exe infopath.exe ocautoupds.exe steam.exe
1cv5.exe isqlplussvc.exe ocomm.exe synctime.exe
1cv6.exe mbamtray.exe Ocssd.exe tbirdconfig.exe
1cv7.exe mongod.exe onenote.exe thebat.exe
1cv8.exe msaccess.exe oracle.exe thebat64.exe
agntsvc.exe msftesql.exe outlook.exe thunderbird.exe
cntaosmgr.exe mspub.exe pccntmon.exe tmlisten.exe
code.exe mydesktopqos.exe postgres.exe visio.exe
dbeng50.exe mydesktopservice.exe powerpnt.exe winword.exe
dbsnmp.exe mysqld-nt.exe sqbcoreservice.exe wordpad.exe
devenv.exe mysqld-opt.exe sqlagent.exe xfssvccon.exe
encsvc.exe mysqld.exe sqlbrowser.exe zoolz.exe
excel.exe notepad++.exe sqlservr.exe
firefoxconfig.exe ntrtscan.exe sqlwriter.exe

Services to be Terminated
ARSM EPSecurityService MBEndpointAgent MSSQL$TPS MSSQLSERVER
AcrSch25vc EPUpdateService MSExchangesES MSSQL$TPSAMA MSSQLServerADHelper
AcronisAgent ESHASRV MSExchangeIS MSSQLSVEEA MSSQLServerADHelper100
AcronisVSSProvider EhttpSrv MsExchangeMGMT MSQL2008R2 MSSQLServerOLAPService
Antivirus EnterpriseClientService MSExchangeMTA MSQL2012 McAfeeEngineService
Backup ExecAgentAccelerator EraserSvc11710 MSExchangeSA MSSQLFDLauncher McAfeeFramework
Backup ExecAgentBrowser EsgShkernel MSExchangeSRS MSSQLFDLauncher$PROFXENGAGEMENT McShield
Backup ExecDeviceMediaService FA_Scheduler MSOLAPSSSQL_2008 MSSQLFDLauncher$SBSMONITORING McTaskManager
BackupExecJobEngine IISAdmin MSOLAPSSYSTEM_BGC MSSQLFDLauncher$SHAREPOINT MsDtsServer
BackupExecManagementService IMAP4Svc MSOLAP$TPS MSSQLFDLauncher$SQL_2008 MsDtsServer100
BackupExecRPCService KAVES MSOLAP$TPSAMA MSSQLFDLauncher$SYSTEM_BGC MsDtsServer110
BackupExecVSSProvider KAVFSGT MSSQL$BKUPEXEC MSSQLFDLauncher$TPS MySQL57
DCAgent MBAMService MSSQL$BKUPEXEC MSSQLFDLauncher$TPSAMA MySQL80
NetMsmgActivator SMTPSVC SQLAgent$SQLEXPRESS SQLWriter SophosHealthService
OracleClientCache80 SNAC SQLAgent$SQL_2008 SQLsafeBackupService SophosMCSAgent
PDVFSService SQLAgent$BKUPEXEC SQLAgent$SYSTEM_BGC SQLsafeFilterService SophosMCsClient
POP3Svc SQLAgent$CITRIX_METAFRAME SQLAgent$TPS SamSs SophosMessageRouter
RESVC SQLAgent$CXDB SQLAgent$TPSAMA SepMasterService SophosSafestoreService
ReportServer R SQLAgent$ECWDB2 SQLAgent$VEEAMSQL2008R2 ShMonitorSmcService SophosSystemProtectionService
ReportServer$SQL_2008 SQLAgentSPRACTTICEBGC SQLAgent$VEEAMSQL2012 Smcinst SophosWebControlService
ReportServer$SYSTEM_BGC SQLAgentSPRACTTICEMGT SQLBackups SntpService SstpSvc
ReportServer$TPS SQLAgent$PROD SQLBrowser SophosAgent SymantecSystemRecovery
ReportServer$TPSAMA SQLAgent$PROFXENGAGEMENT SOLSERVERAGENT SophosAutoUpdateService TmCCSF
SAVAdminService SQLAgent$SBSMONITORING SQLSafeOLRService SophosCleanService TrueKey
SAVService SQLAgentSSHAREPOINT SQLTELEMETRY SophosDeviceControlService TrueKeyScheduler
SDRSVC SQLAgent$SOPHOS SQLTELEMETRY$ECWDB2 SophosFileScannerService TrueKeyServiceHelper
[email protected] VeeamMountsvc ekrn mozyprobackup swi_update
VeeamBackupCatalogDataService VeeamNFSSvc kayfsslp msftesql$PROD swi_update_64
VeeamBackupSvcVeeamBrokerSvc VeeamRESTSvc klnagent ntrtscan tmlisten
VeeamCatalogSvcVeeamCloudSvc VeeamTransportSvc macmnsvc sacsvr wbengine
VeeamDeploySvc W3Svc masvc sophossps
VeeamDeploymentService WRSVC mfefire svcGenericHost
VeeamEnterpriseManagerSvc Zoolz2Service mfemms swi_filter
VeeamHvIntegrationsvc bedbg mfevtp swi_service

Indicators of Compromise (IoCs)

Executable
DD11587CAEC6E3C2AFB13329D326FB4E41AA6236702F498ACFCB3401A596075E
Hashes
66A812F307E8EF9BAA0DADA6CB30179D279D94CC971C1521DD188B2D8FA3FE98

Appendix

Image of the Redeemer version changelog shared by the actor
Image of the Redeemer version changelog shared by the actor
Screenshot of the ransom note displayed on startup
Screenshot of the ransom note displayed on startup
Screenshot of the Redeemer ransomware builder v1.7
Screenshot of the Redeemer ransomware builder v1.7
Screenshot of the Redeemer ransomware builder v2.0.
Screenshot of the Redeemer ransomware builder v2.0.
Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices
Total Posts: 0
Sorry! The Author has not filled his profile.
×
Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices
Latest Posts
  • Redeemer Ransomware