It has been reported that researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations’ encryptors.
The REvil ransomware gang finally shut down in October 2021 following intense pressure from law enforcement. However, in January 2022, the Russian authorities announced arrests, money seizures, and charges against eight of the gang’s members.
Direct attribution is always difficult with cyber criminals. I think we are looking at either members of REvil who focused on the encryption/decryption side who have joined (or started Ransom Cartel) or we are looking at a ‘liberation’ of part of the source code from REvil.
The similarities between encryption between the two lead you to that conclusion.
It doesn’t seem to be a rebranding of REvil, as there are some useful techniques missing from the Ransom Cartel playbook – especially around how the ransomware obfuscates itself – but some new features to retrieve credentials.
Looks like there is a new band in town, but we might have met some of the members before.