A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks.
According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate.
Unlike many Ransomware-as-a-Service (RaaS) operations, anyone can download and use the Redeemer ransomware builder to launch their own attacks. However, when a victim decides to pay the ransom, the author receives 20% of the fees and shares the master key to be combined with the private build key held by the affiliate for decryption.
Also, the new version features a new graphical user interface for the affiliate to build the ransomware executable and decryption tool, while all instructions on how to use it are enclosed in the ZIP.
The author says the project will go open-source if they lose interest, which is precisely what happened with Redeemer 1.0 back in June 2021, when the threat actor publicly released its source code.
Redeemer 2.0 details
The new ransomware builder version features several additions like support for Windows 11, GUI tools, and more communication options such as XMPP and Tox Chat.
Moreover, there’s now a campaign ID tracking system, adding the data into the executable, allowing threat actors to track various campaigns they may be conducting.
Because the ransom amount is set during the building of the executable and corresponds to a specific ID, the affiliate cannot make arbitrary claims to the author, so the latter’s 20% cut is guaranteed.
The author has created a page on the dark web site Dread for the affiliates to acquire the kit, establish communication, access instructions, and receive support.
Researchers at Cyble, who have analyzed the new version, report that the ransomware creates a mutex upon launch to avoid multiple running instances on the victim’s system and abuses Windows APIs to execute itself with admin privileges.
Before encryption, the malware abuses Windows commands to clear the event logs and delete shadow copies and any system state backups, preventing easy/free restoration.
Next, the processes shown below are terminated to prevent jeopardizing the encryption process and to free up all target files and data to make them encryptable.
After that, the ransomware drops a custom icon for Windows to use for the encrypted files extension (redeem), generates the ransom notes, and enumerates all files and directories.
Bleeping Computer tested the ransomware independently and found that it didn’t delete all files after encrypting them, so its operation appears unreliable now.
When attempting to open one of the encrypted copies, the victim receives a message that points them to open the ransom note for instructions on what to do.
The ransomware also adds a ransom note in the Winlogon registry key to warn the user about what has happened upon system restart.
Should you be worried?
The problem with projects like Redeemer is that they offer a dramatically lower bar of entry to the ransomware space for many cybercriminals, including low-skilled threat actors.
While these lower-tier hackers usually lack the skills to find initial access points on valuable corporate networks, they can still cause significant damage to many vital but inadequately protected entities, like healthcare and small businesses.
However, the adoption of this new ransomware doesn’t appear very high, but even if the project fails, the promise of releasing the source code creates the gloomy prospect of new projects based on the Redeemer source code.