Redeemer Ransomware Detection: New Version Distributed on Underground Forums
Table of contents:
The Redeemer ransomware builder’s author put a new spin on the malware’s software, distributing its new version on cybercrime forums. Redeemer 2.0 ransomware version is written in C++ and is built to infect Windows OS hosts. The first version of Redeemer was released in the Summer of 2021, followed by its upgraded variant published last month.
Criminal hackers can use Redeemer without charge; however, the threat actor nicknamed Cerebrate, who claims to be the developer behind the project, asks for 20% of ransom, paid in Monero cryptocurrency.
The ransomware author claims this version is harder to detect, coming with an advanced encryption algorithm and new features like an improved user interface and ability to preserve the victim’s system safe from additional damage besides file encryption.
Detect Redeemer Ransomware
The ransomware market is undergoing an era of radical growth, with its cost to businesses worldwide just in the last year reaching a record $20 billion in damages. To fight off encryption-backed extortion attacks with better efficiency and velocity, use vetted Sigma-based rules available on the SOC Prime’s Threat Detection platform. The newest rule to detect Redeemer Ransomware v. 2.0 behaviors by using process_creation logs is provided by the Threat Bounty Program member Emir Erdogan:
Redeemer Ransomware Detection (via process_creation)
To ensure that no stone is left unturned in the search for possible security breaches, utilize another relevant rule, released by our top-tier developer Osman Demir:
Suspicious Redeemer Ransomware Activity by Adding of Registry Entry (via registry_event)
Both rules are aligned with the MITRE ATT&CK® framework v.10. Security practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 25+ security solutions.
The Detect & Hunt button will take you to a vast repository of detection algorithms associated with ransomware attacks. SOC Prime’s library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats as a response to the massive boom in the number of ransomware occurrences. Click the Explore Threat Context button to access Sigma rules related to Redeemer ransomware using SOC Prime’s search engine – your one stop shop for Threat Hunting, Threat Detection, and all relevant context.
Detect & Hunt Explore Threat Context
Redeemer Ransomware Analysis
The latest variant of the Redeemer ransomware was released in July 2022, surfacing on underground forums. The strain is marketed to appeal predominantly to entry-level threat actors while offering enhanced obfuscation capabilities.
Cyble security experts reported that the new variant introduces a number of the following features, such as support for Windows 11, an affiliate toolkit with GUI, XMPP Chat/Tox Chat/up to two emails, etc.
The Redeemer creator controls each affiliate’s income data by assigning trackable IDs. Before encryption, the ransomware variant leverages Windows commands to wipe out the event logs and backup copies, making the victim’s chances of getting their data restored slim to none.
The Cerebrate’s promotion message states the promise to release the Redeemer source code in case the author “loses interest” in running the project.
Ransomware infections are rife across industries, causing serious disruptions to operations and significant monetary and reputational damages. Join SOC Prime to leverage the benefits of collaborative cyber defense and stay in the know about the latest cyber threat intelligence findings and industry-leading solutions.