- Author: Mehardeep Singh Sawhney
- Editor: Benila Susan Jacob
Research indicates that a Ransomware attack occurs every 11 seconds roughly translating to an approximate 3 million attacks throughout the year. Ransomware attacks are no longer reserved events. Companies are at a constant threat to their revenue, data, brand, image, and subsequent shutdown of the business.
Redeemer ransomware was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released. This article contains the technical analysis of the Redeemer ransomware and its various features.
Evolution of the Redeemer Ransomware 2.0
The threat actor, Cerebrate operating on a cybercrime forum named Dread has been actively promoting the Redeemer ransomware. They have recently started operating on the Breached forum and have released its latest version (version 2.0) on the same.
Redeemer has gone through four version changes since September 2021. The latest version includes improved graphical features such as a GUI builder interface, an icon change for encrypted files, a detailed instructions list, etc. The threat actor also claims to have added support for Windows 11 along with few cryptographic changes to the latest version. The image below describes the features added with each version release of the Redeemer ransomware.
Modus Operandi
 |
Using the builder executable, the attacker creates a ransomware executable. |
|---|---|
 |
The attacker specifies an RSA private key file, email address for contact, XMR amount and the option to disable ‘melt’, if a crypter is being used to encrypt the ransomware. Enabling ‘melt’ will make the ransomware executable delete itself and relocate to a random directory on the system, and execute from there in a hidden state. |
 |
Using the Generate Key Pair option, an RSA private key is generated which is sent to the Malware author (Cerebrate) along with the encrypted public key generated by the ransomware executable. The public key is received from the victim. |
 |
The Malware author (Cerebrate) will share the master key only upon having received 20% of the collected ransom amount. Thus, the victim can only decrypt their files once 20% of the ransom payment has been made by the affiliate attacker. |
Related Read Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Details of the Ransomware
- This Ransomware is written in C++ and comes with a builder and decrypter executable.
- It uses the following encryption algorithms:
- AES256 is used to encrypt the files on the victim’s computer
- RSA is used to encrypt the key
- The ransomware clones itself with the name of a system executable file (eg. conhost.exe), and creates a hidden folder for itself in the Windows directory.
- It terminates all the running processes and executables which may pose a threat to the encryption routine.
- It deletes all shadow copies of files and clears all event as well as application logs using wevtutil, vssadmin, and wbadmin.
- It uses multithreading in order to enumerate the filesystem and encrypt files. It creates 35 different threads that point to the same encryption routine.
- It also modifies the Winlogon registry value and sets it to display the ransom note. Thus, when a user logs into the machine, the ransom note is displayed.
Technical Analysis
Ransomware Signature
The signature of this executable shows us that it is written in C++. When conducting the string analysis, multiple Base64 encoded strings were observed, some of which get decoded to the public key used for encryption, and powershell commands. Upon decoding one of these strings, the following translation was obtained: ‘Redeemer Ransomware – Your Data Is Encrypted’.
Stage I – Pre-Encryption Operations
Mutex Creation
Upon execution, Redeemer first hides its console window by using a call to the ShowWindow Windows API. It then creates a Mutex, called the RedeemerMutex, in order to make sure that multiple instances of the ransomware are not running on the same system.
String Encoding
An RSA public key, ransom amount, and contact email ID are then loaded as Base64 values into memory and decoded for further usage. This Ransomware heavily uses Base64 for string encoding purposes.
Stage II – Preparing for Encryption
The second stage of the ransomware is dictated by the transfer of control to a specific logic section that is controlled by the argument count value. This is done by moving itself under a different name to a world writable directory as shown in the image below.
A new instance is spawned that does the encryption. The name of the newly spawned process will be randomly chosen from the list shown in the image above. The entire process breakdown is covered in the following section:
- The ransomware randomly chooses the directory and executable names by using the logic shown below. It also sets the directory attributes to hidden using the SetFileAttributes Windows API. In this case, the directory selected is C:\Windows\SQL and the executable name is taskmgr.exe.
- Now, the ransomware executes its copy using the
ShellExecuteWWindows API, while taking the path to the old exe as an argument. This is done in order to delete its old copy and continue running as an imposter system executable, which will commence the encryption.
- The routine for directory enumeration and encryption will begin only after the above argument condition is met. A check is implemented for the same by counting the number of arguments passed to the executable.
- The new executable then runs the Windows Event Utility (wevtutil) commands using CMD in order to clear important event logs. The vssadmin and wbadmin commands are used to delete all shadow copies, backup catalogs, and system-state backups in order to make file recovery impossible.
- The ransomware terminates executables and services (including security applications) which might hinder the encryption operations. The code for this is hardcoded in the program as Base64 strings which are decoded using the taskkill and net stop commands. (Refer to the List of Executables & Services Terminated by the Ransomware)
- The ransomware also edits the
Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</strong> registry key, modifies theLegalNoticeCaptionandLegalNoticeTextvalues, and sets them to the ransom note. Thus, when a user logs in, the ransom note is displayed. - The ransomware also creates an exception list so that it does not encrypt the following:
- System and OS directories
- Redeemer ransomware (i.e itself)
- Ransom note
- Already encrypted files
Encryption
Redeemer is capable of enumerating and encrypting both local files and network-attached drives.
It enumerates local drives using the following GetLogicalDrives Windows APIs:
- For the local files, it uses
SHGetFolderPath - For network assets, it uses
WNetEnumResource.
It executes these operations using a loop with FindFirstFile and FindNextFile.
It should be noted that this ransomware uses multithreading for encryption, which makes it efficient in terms of CPU usage. It creates 35 different threads, each pointing to the encryption routine.
It initializes the ransom note in Base64 and writes the decoded value to a file named Read Me.TXT. The encrypted files are saved with the .redeem extension.
Ransom Collection
- When an encrypted file is clicked by the user/victim, the following message is displayed.
- The ReadMe.TXT file containing the ransom note is displayed in the image below.
- To decrypt their files, the victims are asked to pay the demanded ransom amount in Monero.
- Once the ransom payment is verified, the victim receives a decryption tool and a key which allows them to restore their files.
Read Also Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
List of Executables & Services Terminated by the Ransomware
| Executables to be terminated | |||
|---|---|---|---|
| 1cv4.exe | infopath.exe | ocautoupds.exe | steam.exe |
| 1cv5.exe | isqlplussvc.exe | ocomm.exe | synctime.exe |
| 1cv6.exe | mbamtray.exe | Ocssd.exe | tbirdconfig.exe |
| 1cv7.exe | mongod.exe | onenote.exe | thebat.exe |
| 1cv8.exe | msaccess.exe | oracle.exe | thebat64.exe |
| agntsvc.exe | msftesql.exe | outlook.exe | thunderbird.exe |
| cntaosmgr.exe | mspub.exe | pccntmon.exe | tmlisten.exe |
| code.exe | mydesktopqos.exe | postgres.exe | visio.exe |
| dbeng50.exe | mydesktopservice.exe | powerpnt.exe | winword.exe |
| dbsnmp.exe | mysqld-nt.exe | sqbcoreservice.exe | wordpad.exe |
| devenv.exe | mysqld-opt.exe | sqlagent.exe | xfssvccon.exe |
| encsvc.exe | mysqld.exe | sqlbrowser.exe | zoolz.exe |
| excel.exe | notepad++.exe | sqlservr.exe | |
| firefoxconfig.exe | ntrtscan.exe | sqlwriter.exe | |
| Services to be Terminated | ||||
|---|---|---|---|---|
| ARSM | EPSecurityService | MBEndpointAgent | MSSQL$TPS | MSSQLSERVER |
| AcrSch25vc | EPUpdateService | MSExchangesES | MSSQL$TPSAMA | MSSQLServerADHelper |
| AcronisAgent | ESHASRV | MSExchangeIS | MSSQLSVEEA | MSSQLServerADHelper100 |
| AcronisVSSProvider | EhttpSrv | MsExchangeMGMT | MSQL2008R2 | MSSQLServerOLAPService |
| Antivirus | EnterpriseClientService | MSExchangeMTA | MSQL2012 | McAfeeEngineService |
| Backup ExecAgentAccelerator | EraserSvc11710 | MSExchangeSA | MSSQLFDLauncher | McAfeeFramework |
| Backup ExecAgentBrowser | EsgShkernel | MSExchangeSRS | MSSQLFDLauncher$PROFXENGAGEMENT | McShield |
| Backup ExecDeviceMediaService | FA_Scheduler | MSOLAPSSSQL_2008 | MSSQLFDLauncher$SBSMONITORING | McTaskManager |
| BackupExecJobEngine | IISAdmin | MSOLAPSSYSTEM_BGC | MSSQLFDLauncher$SHAREPOINT | MsDtsServer |
| BackupExecManagementService | IMAP4Svc | MSOLAP$TPS | MSSQLFDLauncher$SQL_2008 | MsDtsServer100 |
| BackupExecRPCService | KAVES | MSOLAP$TPSAMA | MSSQLFDLauncher$SYSTEM_BGC | MsDtsServer110 |
| BackupExecVSSProvider | KAVFSGT | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPS | MySQL57 |
| DCAgent | MBAMService | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPSAMA | MySQL80 |
| NetMsmgActivator | SMTPSVC | SQLAgent$SQLEXPRESS | SQLWriter | SophosHealthService |
| OracleClientCache80 | SNAC | SQLAgent$SQL_2008 | SQLsafeBackupService | SophosMCSAgent |
| PDVFSService | SQLAgent$BKUPEXEC | SQLAgent$SYSTEM_BGC | SQLsafeFilterService | SophosMCsClient |
| POP3Svc | SQLAgent$CITRIX_METAFRAME | SQLAgent$TPS | SamSs | SophosMessageRouter |
| RESVC | SQLAgent$CXDB | SQLAgent$TPSAMA | SepMasterService | SophosSafestoreService |
| ReportServer R | SQLAgent$ECWDB2 | SQLAgent$VEEAMSQL2008R2 | ShMonitorSmcService | SophosSystemProtectionService |
| ReportServer$SQL_2008 | SQLAgentSPRACTTICEBGC | SQLAgent$VEEAMSQL2012 | Smcinst | SophosWebControlService |
| ReportServer$SYSTEM_BGC | SQLAgentSPRACTTICEMGT | SQLBackups | SntpService | SstpSvc |
| ReportServer$TPS | SQLAgent$PROD | SQLBrowser | SophosAgent | SymantecSystemRecovery |
| ReportServer$TPSAMA | SQLAgent$PROFXENGAGEMENT | SOLSERVERAGENT | SophosAutoUpdateService | TmCCSF |
| SAVAdminService | SQLAgent$SBSMONITORING | SQLSafeOLRService | SophosCleanService | TrueKey |
| SAVService | SQLAgentSSHAREPOINT | SQLTELEMETRY | SophosDeviceControlService | TrueKeyScheduler |
| SDRSVC | SQLAgent$SOPHOS | SQLTELEMETRY$ECWDB2 | SophosFileScannerService | TrueKeyServiceHelper |
| [email protected] | VeeamMountsvc | ekrn | mozyprobackup | swi_update |
| VeeamBackupCatalogDataService | VeeamNFSSvc | kayfsslp | msftesql$PROD | swi_update_64 |
| VeeamBackupSvcVeeamBrokerSvc | VeeamRESTSvc | klnagent | ntrtscan | tmlisten |
| VeeamCatalogSvcVeeamCloudSvc | VeeamTransportSvc | macmnsvc | sacsvr | wbengine |
| VeeamDeploySvc | W3Svc | masvc | sophossps | |
| VeeamDeploymentService | WRSVC | mfefire | svcGenericHost | |
| VeeamEnterpriseManagerSvc | Zoolz2Service | mfemms | swi_filter | |
| VeeamHvIntegrationsvc | bedbg | mfevtp | swi_service | |
Indicators of Compromise (IoCs)
| Executable | |
|---|---|
| DD11587CAEC6E3C2AFB13329D326FB4E41AA6236702F498ACFCB3401A596075E | |
| Hashes | |
| 66A812F307E8EF9BAA0DADA6CB30179D279D94CC971C1521DD188B2D8FA3FE98 |
Appendix
