# What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis **[cloudsek.com/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis/](https://cloudsek.com/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis/)** Mehardeep Singh Sawhney September 2, 2022 **Author: Mehardeep Singh Sawhney** **Editor: Benila Susan Jacob** Research indicates that a Ransomware attack occurs every 11 seconds roughly translating to an approximate 3 million attacks throughout the year. Ransomware attacks are no longer reserved events. Companies are at a constant threat to their revenue, data, brand, image, and subsequent shutdown of the business. **Redeemer ransomware was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released.** This article contains the technical analysis of the Redeemer ransomware and its various features. ## Evolution of the Redeemer Ransomware 2.0 The threat actor, Cerebrate operating on a cybercrime forum named Dread has been actively promoting the Redeemer ransomware. They have recently started operating on the Breached forum and have released its latest version (version 2.0) on the same. Redeemer has gone through four version changes since September 2021. The latest version includes improved graphical features such as a GUI builder interface, an icon change for encrypted files, a detailed instructions list, etc. The threat actor also claims to have added support for Windows 11 along with few cryptographic changes to the latest version. The image below describes the features added with each version release of the Redeemer ransomware. ----- ## Modus Operandi **Using the builder executable, the attacker creates a ransomware executable.** **The attacker specifies an RSA private key file, email address for contact, XMR amount and the option to disable ‘melt’, if** **a crypter is being used to encrypt the ransomware. Enabling ‘melt’ will make the ransomware executable delete itself and** **relocate to a random directory on the system, and execute from there in a hidden state.** **Using the Generate Key Pair option, an RSA private key is generated which is sent to the Malware author (Cerebrate)** **along with the encrypted public key generated by the ransomware executable. The public key is received from the victim.** ----- **The Malware author (Cerebrate) will share the master key only upon having received 20% of the collected ransom** **amount. Thus, the victim can only decrypt their files once 20% of the ransom payment has been made by the affiliate** **attacker.** **[Related Read Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group](https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/)** ## Details of the Ransomware This Ransomware is written in C++ and comes with a builder and decrypter executable. It uses the following encryption algorithms: AES256 is used to encrypt the files on the victim’s computer RSA is used to encrypt the key The ransomware clones itself with the name of a system executable file (eg. conhost.exe), and creates a hidden folder for itself in the Windows directory. It terminates all the running processes and executables which may pose a threat to the encryption routine. It deletes all shadow copies of files and clears all event as well as application logs using wevtutil, vssadmin, and wbadmin. It uses multithreading in order to enumerate the filesystem and encrypt files. It creates 35 different threads that point to the same encryption routine. It also modifies the Winlogon registry value and sets it to display the ransom note. Thus, when a user logs into the machine, the ransom note is displayed. ## Technical Analysis ### Ransomware Signature The signature of this executable shows us that it is written in C++. When conducting the string analysis, multiple Base64 encoded strings were observed, some of which get decoded to the public key used for encryption, and powershell commands. Upon decoding one of these strings, the following translation was obtained: ‘Redeemer Ransomware – Your Data Is Encrypted’. Signature of the executable file indicating that it is written in C++ An encoded ransomware string ### Stage I – Pre-Encryption Operations **Mutex Creation** Upon execution, Redeemer first hides its console window by using a call to the **_ShowWindow Windows API. It then creates a Mutex, called_** the RedeemerMutex, in order to make sure that multiple instances of the ransomware are not running on the same system. Code for hiding the process window and creation of the Mutex **String Encoding** An RSA public key, ransom amount, and contact email ID are then loaded as Base64 values into memory and decoded for further usage. This Ransomware heavily uses Base64 for string encoding purposes. ----- Code for loading and decoding Base64 values, and storing them for later use ### Stage II – Preparing for Encryption The second stage of the ransomware is dictated by the transfer of control to a specific logic section that is controlled by the argument count value. This is done by moving itself under a different name to a world writable directory as shown in the image below. The list of random executable and directory names A new instance is spawned that does the encryption. The name of the newly spawned process will be randomly chosen from the list shown in the image above. The entire process breakdown is covered in the following section: The ransomware randomly chooses the directory and executable names by using the logic shown below. It also sets the directory attributes to hidden using the SetFileAttributes Windows API. In this case, the directory selected is C:\Windows\SQL and the executable name is taskmgr.exe. Logic for determining the file and folder name combination Now, the ransomware executes its copy using the `ShellExecuteW` Windows API, while taking the path to the old exe as an argument. This is done in order to delete its old copy and continue running as an imposter system executable, which will commence the encryption. ----- Executing the new executable while accepting the old one as an argument The routine for directory enumeration and encryption will begin only after the above argument condition is met. A check is implemented for the same by counting the number of arguments passed to the executable. Code for checking the arguments and deleting the original executable if criteria is met The new executable then runs the Windows Event Utility (wevtutil) commands using CMD in order to clear important event logs. The **_vssadmin and wbadmin commands are used to delete all shadow copies, backup catalogs, and system-state backups in order to make_** file recovery impossible. Commands executed to clear event logs and delete shadow copies The ransomware terminates executables and services (including security applications) which might hinder the encryption operations. The code for this is hardcoded in the program as Base64 strings which are decoded using the taskkill and net stop commands. (Refer to the List of Executables & Services Terminated by the Ransomware) Commands used to terminate executable and services which might hinder encryption ----- e a so a e a so ed ts t e `So t a e\\` `c oso t\\` `do s` `\\Cu` `e t e s o \\` `ogo` `/st o g` eg st y ey, od es the `LegalNoticeCaption and` `LegalNoticeText` values, and sets them to the ransom note. Thus, when a user logs in, the ransom note is displayed. The ransomware also creates an exception list so that it does not encrypt the following: System and OS directories Redeemer ransomware (i.e itself) Ransom note Already encrypted files Code highlighting the skipped extensions and files [Related YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters](https://cloudsek.com/yourcyanide-an-investigation-into-the-frankenstein-ransomware-that-sends-malware-laced-love-letters/) ### Encryption Redeemer is capable of enumerating and encrypting both local files and network-attached drives. The ransomware encryption loop It enumerates local drives using the following `GetLogicalDrives Windows APIs:` For the local files, it uses `SHGetFolderPath` For network assets, it uses `WNetEnumResource .` It executes these operations using a loop with `FindFirstFile and` `FindNextFile .` ----- Enumeration of local and network files and folders It should be noted that this ransomware uses multithreading for encryption, which makes it efficient in terms of CPU usage. It creates 35 different threads, each pointing to the encryption routine. Screenshot of the threads created by Redeemer It initializes the ransom note in Base64 and writes the decoded value to a file named `Read Me.TXT.` The encrypted files are saved with the `.redeem` extension. Screenshot of encrypted file names ## Ransom Collection When an encrypted file is clicked by the user/victim, the following message is displayed. Screenshot of the message displayed upon opening an encrypted file The ReadMe.TXT file containing the ransom note is displayed in the image below. ----- Screenshot of the ransom note (Read Me.TXT) To decrypt their files, the victims are asked to pay the demanded ransom amount in Monero. Once the ransom payment is verified, the victim receives a decryption tool and a key which allows them to restore their files. [Read Also Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group](https://cloudsek.com/analysis-and-attribution-of-the-eternity-ransomware-timeline-and-emergence-of-the-eternity-group/) ## List of Executables & Services Terminated by the Ransomware **Executables to be terminated** **1cv4.exe** **infopath.exe** **ocautoupds.exe** **steam.exe** **1cv5.exe** **isqlplussvc.exe** **ocomm.exe** **synctime.exe** **1cv6.exe** **mbamtray.exe** **Ocssd.exe** **tbirdconfig.exe** **1cv7.exe** **mongod.exe** **onenote.exe** **thebat.exe** **1cv8.exe** **msaccess.exe** **oracle.exe** **thebat64.exe** **agntsvc.exe** **msftesql.exe** **outlook.exe** **thunderbird.exe** **cntaosmgr.exe** **mspub.exe** **pccntmon.exe** **tmlisten.exe** **code.exe** **mydesktopqos.exe** **postgres.exe** **visio.exe** **dbeng50.exe** **mydesktopservice.exe** **powerpnt.exe** **winword.exe** **dbsnmp.exe** **mysqld-nt.exe** **sqbcoreservice.exe** **wordpad.exe** **devenv.exe** **mysqld-opt.exe** **sqlagent.exe** **xfssvccon.exe** **encsvc.exe** **mysqld.exe** **sqlbrowser.exe** **zoolz.exe** **excel.exe** **notepad++.exe** **sqlservr.exe** **firefoxconfig.exe** **ntrtscan.exe** **sqlwriter.exe** ----- **Services to be Terminated** **ARSM** **EPSecurityService** **MBEndpointAgent** **MSSQL$TPS** **AcrSch25vc** **EPUpdateService** **MSExchangesES** **MSSQL$TPSAMA** **AcronisAgent** **ESHASRV** **MSExchangeIS** **MSSQLSVEEA** **AcronisVSSProvider** **EhttpSrv** **MsExchangeMGMT** **MSQL2008R2** **Antivirus** **EnterpriseClientService** **MSExchangeMTA** **MSQL2012** **Backup ExecAgentAccelerator** **EraserSvc11710** **MSExchangeSA** **MSSQLFDLauncher** **Backup ExecAgentBrowser** **EsgShkernel** **MSExchangeSRS** **MSSQLFDLauncher$PROFXE** **Backup ExecDeviceMediaService** **FA_Scheduler** **MSOLAPSSSQL_2008** **MSSQLFDLauncher$SBSMON** **BackupExecJobEngine** **IISAdmin** **MSOLAPSSYSTEM_BGC** **MSSQLFDLauncher$SHAREP** **BackupExecManagementService** **IMAP4Svc** **MSOLAP$TPS** **MSSQLFDLauncher$SQL_20** **BackupExecRPCService** **KAVES** **MSOLAP$TPSAMA** **MSSQLFDLauncher$SYSTEM** **BackupExecVSSProvider** **KAVFSGT** **MSSQL$BKUPEXEC** **MSSQLFDLauncher$TPS** **DCAgent** **MBAMService** **MSSQL$BKUPEXEC** **MSSQLFDLauncher$TPSAMA** **NetMsmgActivator** **SMTPSVC** **SQLAgent$SQLEXPRESS** **SQLWriter** **OracleClientCache80** **SNAC** **SQLAgent$SQL_2008** **SQLsafeBackupService** **PDVFSService** **SQLAgent$BKUPEXEC** **SQLAgent$SYSTEM_BGC** **SQLsafeFilterService** **POP3Svc** **SQLAgent$CITRIX_METAFRAME** **SQLAgent$TPS** **SamSs** **RESVC** **SQLAgent$CXDB** **SQLAgent$TPSAMA** **SepMasterService** **ReportServer R** **SQLAgent$ECWDB2** **SQLAgent$VEEAMSQL2008R2** **ShMonitorSmcService** **ReportServer$SQL_2008** **SQLAgentSPRACTTICEBGC** **SQLAgent$VEEAMSQL2012** **Smcinst** **ReportServer$SYSTEM_BGC** **SQLAgentSPRACTTICEMGT** **SQLBackups** **SntpService** **ReportServer$TPS** **SQLAgent$PROD** **SQLBrowser** **SophosAgent** **ReportServer$TPSAMA** **SQLAgent$PROFXENGAGEMENT** **SOLSERVERAGENT** **SophosAutoUpdateService** **SAVAdminService** **SQLAgent$SBSMONITORING** **SQLSafeOLRService** **SophosCleanService** **SAVService** **SQLAgentSSHAREPOINT** **SQLTELEMETRY** **SophosDeviceControlService** **SDRSVC** **SQLAgent$SOPHOS** **SQLTELEMETRY$ECWDB2** **SophosFileScannerService** **[[email protected]](https://cloudsek.com/cdn-cgi/l/email-protection)** **VeeamMountsvc** **ekrn** **mozyprobackup** **VeeamBackupCatalogDataService** **VeeamNFSSvc** **kayfsslp** **msftesql$PROD** **VeeamBackupSvcVeeamBrokerSvc** **VeeamRESTSvc** **klnagent** **ntrtscan** **VeeamCatalogSvcVeeamCloudSvc** **VeeamTransportSvc** **macmnsvc** **sacsvr** **VeeamDeploySvc** **W3Svc** **masvc** **sophossps** **VeeamDeploymentService** **WRSVC** **mfefire** **svcGenericHost** **VeeamEnterpriseManagerSvc** **Zoolz2Service** **mfemms** **swi_filter** **VeeamHvIntegrationsvc** **bedbg** **mfevtp** **swi_service** ## Indicators of Compromise (IoCs) **Executable** **DD11587CAEC6E3C2AFB13329D326FB4E41AA6236702F498ACFCB3401A596075E** **Hashes** ----- **Executable66A812F307E8EF9BAA0DADA6CB30179D279D94CC971C1521DD188B2D8FA3FE98** ## Appendix Image of the Redeemer version changelog shared by the actor ----- Screenshot of the ransom note displayed on startup ----- Screenshot of the Redeemer ransomware builder v1.7 Screenshot of the Redeemer ransomware builder v2.0. Author Details ----- [Mehardeep Singh Sawhney](https://cloudsek.com/author/mehardeep-singh/) Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices [Benila Susan](https://cloudsek.com/author/benila-susan/) Total Posts: 0 Sorry! The Author has not filled his profile. × [Mehardeep Singh Sawhney](https://cloudsek.com/author/mehardeep-singh/) Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices Latest Posts -----