🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoResearch indicates that a Ransomware attack occurs every 11 seconds roughly translating to an approximate 3 million attacks throughout the year. Ransomware attacks are no longer reserved events. Companies are at a constant threat to their revenue, data, brand, image, and subsequent shutdown of the business.
Redeemer ransomware was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released. This article contains the technical analysis of the Redeemer ransomware and its various features.
The threat actor, Cerebrate operating on a cybercrime forum named Dread has been actively promoting the Redeemer ransomware. They have recently started operating on the Breached forum and have released its latest version (version 2.0) on the same.
Redeemer has gone through four version changes since September 2021. The latest version includes improved graphical features such as a GUI builder interface, an icon change for encrypted files, a detailed instructions list, etc. The threat actor also claims to have added support for Windows 11 along with few cryptographic changes to the latest version. The image below describes the features added with each version release of the Redeemer ransomware.
![]() |
Using the builder executable, the attacker creates a ransomware executable. |
---|---|
![]() |
The attacker specifies an RSA private key file, email address for contact, XMR amount and the option to disable ‘melt’, if a crypter is being used to encrypt the ransomware. Enabling ‘melt’ will make the ransomware executable delete itself and relocate to a random directory on the system, and execute from there in a hidden state. |
![]() |
Using the Generate Key Pair option, an RSA private key is generated which is sent to the Malware author (Cerebrate) along with the encrypted public key generated by the ransomware executable. The public key is received from the victim. |
![]() |
The Malware author (Cerebrate) will share the master key only upon having received 20% of the collected ransom amount. Thus, the victim can only decrypt their files once 20% of the ransom payment has been made by the affiliate attacker. |
Related Read Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
The signature of this executable shows us that it is written in C++. When conducting the string analysis, multiple Base64 encoded strings were observed, some of which get decoded to the public key used for encryption, and powershell commands. Upon decoding one of these strings, the following translation was obtained: ‘Redeemer Ransomware – Your Data Is Encrypted’.
Upon execution, Redeemer first hides its console window by using a call to the ShowWindow Windows API. It then creates a Mutex, called the RedeemerMutex, in order to make sure that multiple instances of the ransomware are not running on the same system.
An RSA public key, ransom amount, and contact email ID are then loaded as Base64 values into memory and decoded for further usage. This Ransomware heavily uses Base64 for string encoding purposes.
The second stage of the ransomware is dictated by the transfer of control to a specific logic section that is controlled by the argument count value. This is done by moving itself under a different name to a world writable directory as shown in the image below.
A new instance is spawned that does the encryption. The name of the newly spawned process will be randomly chosen from the list shown in the image above. The entire process breakdown is covered in the following section:
ShellExecuteW
Windows API, while taking the path to the old exe as an argument. This is done in order to delete its old copy and continue running as an imposter system executable, which will commence the encryption. Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</strong
> registry key, modifies the LegalNoticeCaption
and LegalNoticeText
values, and sets them to the ransom note. Thus, when a user logs in, the ransom note is displayed.Redeemer is capable of enumerating and encrypting both local files and network-attached drives.
It enumerates local drives using the following GetLogicalDrives
Windows APIs:
SHGetFolderPath
WNetEnumResource
.It executes these operations using a loop with FindFirstFile
and FindNextFile
.
It should be noted that this ransomware uses multithreading for encryption, which makes it efficient in terms of CPU usage. It creates 35 different threads, each pointing to the encryption routine.
It initializes the ransom note in Base64 and writes the decoded value to a file named Read Me.TXT.
The encrypted files are saved with the .redeem
extension.
Read Also Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
Executables to be terminated | |||
---|---|---|---|
1cv4.exe | infopath.exe | ocautoupds.exe | steam.exe |
1cv5.exe | isqlplussvc.exe | ocomm.exe | synctime.exe |
1cv6.exe | mbamtray.exe | Ocssd.exe | tbirdconfig.exe |
1cv7.exe | mongod.exe | onenote.exe | thebat.exe |
1cv8.exe | msaccess.exe | oracle.exe | thebat64.exe |
agntsvc.exe | msftesql.exe | outlook.exe | thunderbird.exe |
cntaosmgr.exe | mspub.exe | pccntmon.exe | tmlisten.exe |
code.exe | mydesktopqos.exe | postgres.exe | visio.exe |
dbeng50.exe | mydesktopservice.exe | powerpnt.exe | winword.exe |
dbsnmp.exe | mysqld-nt.exe | sqbcoreservice.exe | wordpad.exe |
devenv.exe | mysqld-opt.exe | sqlagent.exe | xfssvccon.exe |
encsvc.exe | mysqld.exe | sqlbrowser.exe | zoolz.exe |
excel.exe | notepad++.exe | sqlservr.exe | |
firefoxconfig.exe | ntrtscan.exe | sqlwriter.exe |
Services to be Terminated | ||||
---|---|---|---|---|
ARSM | EPSecurityService | MBEndpointAgent | MSSQL$TPS | MSSQLSERVER |
AcrSch25vc | EPUpdateService | MSExchangesES | MSSQL$TPSAMA | MSSQLServerADHelper |
AcronisAgent | ESHASRV | MSExchangeIS | MSSQLSVEEA | MSSQLServerADHelper100 |
AcronisVSSProvider | EhttpSrv | MsExchangeMGMT | MSQL2008R2 | MSSQLServerOLAPService |
Antivirus | EnterpriseClientService | MSExchangeMTA | MSQL2012 | McAfeeEngineService |
Backup ExecAgentAccelerator | EraserSvc11710 | MSExchangeSA | MSSQLFDLauncher | McAfeeFramework |
Backup ExecAgentBrowser | EsgShkernel | MSExchangeSRS | MSSQLFDLauncher$PROFXENGAGEMENT | McShield |
Backup ExecDeviceMediaService | FA_Scheduler | MSOLAPSSSQL_2008 | MSSQLFDLauncher$SBSMONITORING | McTaskManager |
BackupExecJobEngine | IISAdmin | MSOLAPSSYSTEM_BGC | MSSQLFDLauncher$SHAREPOINT | MsDtsServer |
BackupExecManagementService | IMAP4Svc | MSOLAP$TPS | MSSQLFDLauncher$SQL_2008 | MsDtsServer100 |
BackupExecRPCService | KAVES | MSOLAP$TPSAMA | MSSQLFDLauncher$SYSTEM_BGC | MsDtsServer110 |
BackupExecVSSProvider | KAVFSGT | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPS | MySQL57 |
DCAgent | MBAMService | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPSAMA | MySQL80 |
NetMsmgActivator | SMTPSVC | SQLAgent$SQLEXPRESS | SQLWriter | SophosHealthService |
OracleClientCache80 | SNAC | SQLAgent$SQL_2008 | SQLsafeBackupService | SophosMCSAgent |
PDVFSService | SQLAgent$BKUPEXEC | SQLAgent$SYSTEM_BGC | SQLsafeFilterService | SophosMCsClient |
POP3Svc | SQLAgent$CITRIX_METAFRAME | SQLAgent$TPS | SamSs | SophosMessageRouter |
RESVC | SQLAgent$CXDB | SQLAgent$TPSAMA | SepMasterService | SophosSafestoreService |
ReportServer R | SQLAgent$ECWDB2 | SQLAgent$VEEAMSQL2008R2 | ShMonitorSmcService | SophosSystemProtectionService |
ReportServer$SQL_2008 | SQLAgentSPRACTTICEBGC | SQLAgent$VEEAMSQL2012 | Smcinst | SophosWebControlService |
ReportServer$SYSTEM_BGC | SQLAgentSPRACTTICEMGT | SQLBackups | SntpService | SstpSvc |
ReportServer$TPS | SQLAgent$PROD | SQLBrowser | SophosAgent | SymantecSystemRecovery |
ReportServer$TPSAMA | SQLAgent$PROFXENGAGEMENT | SOLSERVERAGENT | SophosAutoUpdateService | TmCCSF |
SAVAdminService | SQLAgent$SBSMONITORING | SQLSafeOLRService | SophosCleanService | TrueKey |
SAVService | SQLAgentSSHAREPOINT | SQLTELEMETRY | SophosDeviceControlService | TrueKeyScheduler |
SDRSVC | SQLAgent$SOPHOS | SQLTELEMETRY$ECWDB2 | SophosFileScannerService | TrueKeyServiceHelper |
UI@Detect | VeeamMountsvc | ekrn | mozyprobackup | swi_update |
VeeamBackupCatalogDataService | VeeamNFSSvc | kayfsslp | msftesql$PROD | swi_update_64 |
VeeamBackupSvcVeeamBrokerSvc | VeeamRESTSvc | klnagent | ntrtscan | tmlisten |
VeeamCatalogSvcVeeamCloudSvc | VeeamTransportSvc | macmnsvc | sacsvr | wbengine |
VeeamDeploySvc | W3Svc | masvc | sophossps | |
VeeamDeploymentService | WRSVC | mfefire | svcGenericHost | |
VeeamEnterpriseManagerSvc | Zoolz2Service | mfemms | swi_filter | |
VeeamHvIntegrationsvc | bedbg | mfevtp | swi_service |
Executable | |
---|---|
DD11587CAEC6E3C2AFB13329D326FB4E41AA6236702F498ACFCB3401A596075E | |
Hashes | |
66A812F307E8EF9BAA0DADA6CB30179D279D94CC971C1521DD188B2D8FA3FE98 |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis
Research indicates that a Ransomware attack occurs every 11 seconds roughly translating to an approximate 3 million attacks throughout the year. Ransomware attacks are no longer reserved events. Companies are at a constant threat to their revenue, data, brand, image, and subsequent shutdown of the business.
Redeemer ransomware was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released. This article contains the technical analysis of the Redeemer ransomware and its various features.
The threat actor, Cerebrate operating on a cybercrime forum named Dread has been actively promoting the Redeemer ransomware. They have recently started operating on the Breached forum and have released its latest version (version 2.0) on the same.
Redeemer has gone through four version changes since September 2021. The latest version includes improved graphical features such as a GUI builder interface, an icon change for encrypted files, a detailed instructions list, etc. The threat actor also claims to have added support for Windows 11 along with few cryptographic changes to the latest version. The image below describes the features added with each version release of the Redeemer ransomware.
![]() |
Using the builder executable, the attacker creates a ransomware executable. |
---|---|
![]() |
The attacker specifies an RSA private key file, email address for contact, XMR amount and the option to disable ‘melt’, if a crypter is being used to encrypt the ransomware. Enabling ‘melt’ will make the ransomware executable delete itself and relocate to a random directory on the system, and execute from there in a hidden state. |
![]() |
Using the Generate Key Pair option, an RSA private key is generated which is sent to the Malware author (Cerebrate) along with the encrypted public key generated by the ransomware executable. The public key is received from the victim. |
![]() |
The Malware author (Cerebrate) will share the master key only upon having received 20% of the collected ransom amount. Thus, the victim can only decrypt their files once 20% of the ransom payment has been made by the affiliate attacker. |
Related Read Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
The signature of this executable shows us that it is written in C++. When conducting the string analysis, multiple Base64 encoded strings were observed, some of which get decoded to the public key used for encryption, and powershell commands. Upon decoding one of these strings, the following translation was obtained: ‘Redeemer Ransomware – Your Data Is Encrypted’.
Upon execution, Redeemer first hides its console window by using a call to the ShowWindow Windows API. It then creates a Mutex, called the RedeemerMutex, in order to make sure that multiple instances of the ransomware are not running on the same system.
An RSA public key, ransom amount, and contact email ID are then loaded as Base64 values into memory and decoded for further usage. This Ransomware heavily uses Base64 for string encoding purposes.
The second stage of the ransomware is dictated by the transfer of control to a specific logic section that is controlled by the argument count value. This is done by moving itself under a different name to a world writable directory as shown in the image below.
A new instance is spawned that does the encryption. The name of the newly spawned process will be randomly chosen from the list shown in the image above. The entire process breakdown is covered in the following section:
ShellExecuteW
Windows API, while taking the path to the old exe as an argument. This is done in order to delete its old copy and continue running as an imposter system executable, which will commence the encryption. Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</strong
> registry key, modifies the LegalNoticeCaption
and LegalNoticeText
values, and sets them to the ransom note. Thus, when a user logs in, the ransom note is displayed.Redeemer is capable of enumerating and encrypting both local files and network-attached drives.
It enumerates local drives using the following GetLogicalDrives
Windows APIs:
SHGetFolderPath
WNetEnumResource
.It executes these operations using a loop with FindFirstFile
and FindNextFile
.
It should be noted that this ransomware uses multithreading for encryption, which makes it efficient in terms of CPU usage. It creates 35 different threads, each pointing to the encryption routine.
It initializes the ransom note in Base64 and writes the decoded value to a file named Read Me.TXT.
The encrypted files are saved with the .redeem
extension.
Read Also Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
Executables to be terminated | |||
---|---|---|---|
1cv4.exe | infopath.exe | ocautoupds.exe | steam.exe |
1cv5.exe | isqlplussvc.exe | ocomm.exe | synctime.exe |
1cv6.exe | mbamtray.exe | Ocssd.exe | tbirdconfig.exe |
1cv7.exe | mongod.exe | onenote.exe | thebat.exe |
1cv8.exe | msaccess.exe | oracle.exe | thebat64.exe |
agntsvc.exe | msftesql.exe | outlook.exe | thunderbird.exe |
cntaosmgr.exe | mspub.exe | pccntmon.exe | tmlisten.exe |
code.exe | mydesktopqos.exe | postgres.exe | visio.exe |
dbeng50.exe | mydesktopservice.exe | powerpnt.exe | winword.exe |
dbsnmp.exe | mysqld-nt.exe | sqbcoreservice.exe | wordpad.exe |
devenv.exe | mysqld-opt.exe | sqlagent.exe | xfssvccon.exe |
encsvc.exe | mysqld.exe | sqlbrowser.exe | zoolz.exe |
excel.exe | notepad++.exe | sqlservr.exe | |
firefoxconfig.exe | ntrtscan.exe | sqlwriter.exe |
Services to be Terminated | ||||
---|---|---|---|---|
ARSM | EPSecurityService | MBEndpointAgent | MSSQL$TPS | MSSQLSERVER |
AcrSch25vc | EPUpdateService | MSExchangesES | MSSQL$TPSAMA | MSSQLServerADHelper |
AcronisAgent | ESHASRV | MSExchangeIS | MSSQLSVEEA | MSSQLServerADHelper100 |
AcronisVSSProvider | EhttpSrv | MsExchangeMGMT | MSQL2008R2 | MSSQLServerOLAPService |
Antivirus | EnterpriseClientService | MSExchangeMTA | MSQL2012 | McAfeeEngineService |
Backup ExecAgentAccelerator | EraserSvc11710 | MSExchangeSA | MSSQLFDLauncher | McAfeeFramework |
Backup ExecAgentBrowser | EsgShkernel | MSExchangeSRS | MSSQLFDLauncher$PROFXENGAGEMENT | McShield |
Backup ExecDeviceMediaService | FA_Scheduler | MSOLAPSSSQL_2008 | MSSQLFDLauncher$SBSMONITORING | McTaskManager |
BackupExecJobEngine | IISAdmin | MSOLAPSSYSTEM_BGC | MSSQLFDLauncher$SHAREPOINT | MsDtsServer |
BackupExecManagementService | IMAP4Svc | MSOLAP$TPS | MSSQLFDLauncher$SQL_2008 | MsDtsServer100 |
BackupExecRPCService | KAVES | MSOLAP$TPSAMA | MSSQLFDLauncher$SYSTEM_BGC | MsDtsServer110 |
BackupExecVSSProvider | KAVFSGT | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPS | MySQL57 |
DCAgent | MBAMService | MSSQL$BKUPEXEC | MSSQLFDLauncher$TPSAMA | MySQL80 |
NetMsmgActivator | SMTPSVC | SQLAgent$SQLEXPRESS | SQLWriter | SophosHealthService |
OracleClientCache80 | SNAC | SQLAgent$SQL_2008 | SQLsafeBackupService | SophosMCSAgent |
PDVFSService | SQLAgent$BKUPEXEC | SQLAgent$SYSTEM_BGC | SQLsafeFilterService | SophosMCsClient |
POP3Svc | SQLAgent$CITRIX_METAFRAME | SQLAgent$TPS | SamSs | SophosMessageRouter |
RESVC | SQLAgent$CXDB | SQLAgent$TPSAMA | SepMasterService | SophosSafestoreService |
ReportServer R | SQLAgent$ECWDB2 | SQLAgent$VEEAMSQL2008R2 | ShMonitorSmcService | SophosSystemProtectionService |
ReportServer$SQL_2008 | SQLAgentSPRACTTICEBGC | SQLAgent$VEEAMSQL2012 | Smcinst | SophosWebControlService |
ReportServer$SYSTEM_BGC | SQLAgentSPRACTTICEMGT | SQLBackups | SntpService | SstpSvc |
ReportServer$TPS | SQLAgent$PROD | SQLBrowser | SophosAgent | SymantecSystemRecovery |
ReportServer$TPSAMA | SQLAgent$PROFXENGAGEMENT | SOLSERVERAGENT | SophosAutoUpdateService | TmCCSF |
SAVAdminService | SQLAgent$SBSMONITORING | SQLSafeOLRService | SophosCleanService | TrueKey |
SAVService | SQLAgentSSHAREPOINT | SQLTELEMETRY | SophosDeviceControlService | TrueKeyScheduler |
SDRSVC | SQLAgent$SOPHOS | SQLTELEMETRY$ECWDB2 | SophosFileScannerService | TrueKeyServiceHelper |
UI@Detect | VeeamMountsvc | ekrn | mozyprobackup | swi_update |
VeeamBackupCatalogDataService | VeeamNFSSvc | kayfsslp | msftesql$PROD | swi_update_64 |
VeeamBackupSvcVeeamBrokerSvc | VeeamRESTSvc | klnagent | ntrtscan | tmlisten |
VeeamCatalogSvcVeeamCloudSvc | VeeamTransportSvc | macmnsvc | sacsvr | wbengine |
VeeamDeploySvc | W3Svc | masvc | sophossps | |
VeeamDeploymentService | WRSVC | mfefire | svcGenericHost | |
VeeamEnterpriseManagerSvc | Zoolz2Service | mfemms | swi_filter | |
VeeamHvIntegrationsvc | bedbg | mfevtp | swi_service |
Executable | |
---|---|
DD11587CAEC6E3C2AFB13329D326FB4E41AA6236702F498ACFCB3401A596075E | |
Hashes | |
66A812F307E8EF9BAA0DADA6CB30179D279D94CC971C1521DD188B2D8FA3FE98 |