New Redeemer Ransomware Design Spotted on Hacker Forums
Redeemer Ransomware Creator Demanding Profit Cut
Cyble security researchers have recently identified a new version of Redeemer, a highly viral and easy-to-set-up ransomware variant. Based on the findings, Redeemer 2.0 has exceptional out-of-the-box functionality, added support for Windows 11, a user-friendly GUI, and requires little to no technical expertise on the ‘client’ side.
How Serious Is the Redeemer Ransomware?
The second Redeemer iteration has been exclusively written in C++ in order to increase cross-platform compatibility. In addition, based on the research team’s findings, Redeemer, which has lately become a hot item on various hacking forums, is free to use, download, and deploy and, on top of that, it’s (highly) compatible with Windows 7, Windows 8, Windows 10, and Windows 11. What makes it different from the first version of Redeemer is the marketing part – although Redeemer’s up for grabs, the ‘user’s’ contractually obligated to share 20% of his ill-gotten spoils.
The mechanism’s rather interesting– when a person signs up with the ransomware’s builder, he will receive a unique and trackable ID. So, regardless of what ransomware campaigns he sets up, the ransomware creator will always know how the program performed and, most importantly, how much the ‘customer’ made. The researchers explained that, at the core of this dark-side affiliate marketing system, stands a powerful cryptographical system, that allows the builder (i.e., Redeemer’s creator) to avoid skimming by combining a master key with an affiliate-owned private key. In essence, it’s an anti-cheating system made for hackers.
Redeemer Infection Mechanism
More to the question at hand – just how serious is the Redeemer Ransomware? Let’s take a closer look at its features. Apart from the cross-compatibility part, Redeemer also has powerful obfuscation capabilities (i.e., the builder boasted medium-AV detection).
Now, once the ransomware hits the victim’s machine, it will spawn a Mutually-exclusive flag (i.e., MUTEX) in order to avoid spawning multiple instances. After that, it’s a slippery slope – Redeemer brutalizes multiple Windows-curated APIs to obtain higher privileges, deletes shadow copies and backs to prevent the victim from using backups, clears the event log, and kills processes.
Among the processes killed by Redeemer are lcv4.exe, code.exe, excel.exe., firefoxconfig.exe, infopath.exe, mbamtray.exe, mysqld.exe, thebat.exe, thunderbird.exe, and winword.exe. Once this phase is complete, the ransomware will begin to enumerate the victim’s files and directories and begin the encryption process. The researchers have noted that this ransomware does not delete the files after concluding the encryption cycle.
Similar to so many other ransomware, Redeemer ‘seals the deal’ by dropping the ransom note, informing the victim about what happened and the steps he needs to take in order to recover the intact data. An interesting aspect of Redeemer two-point-o is its penchant for stating the obvious; for instance, if the user were to click on any of the encrypted files, a pop-up would appear, redirecting him or her to the ransom note. On top of that, the Redeemer ransomware will also tamper with Windows Registry files, allowing it to display the ransom note during the boot cycle.
To answer the question, Redeemer is a serious matter, however, it lacks the maturity and traction other ransomware has in order to create an impact. And there’s also the financial consideration – not many hackers might be happy with departing with 20% of their profits.
How to Protect Your Assets against Redeemer
On the defender’s side, extra precautions are not necessary – avoid downloading content from suspicious websites, don’t open email attachments from senders that are outside of your emailing list, and don’t follow any links that might be enclosed in these emails. On top of that, ensure that your AV’s up to date, and consider deploying a ransomware encryption protection solution.
Heimdal™ has developed a Ransomware Encryption Protection solution that actively seeks malicious encryption attempts and stops them before they encrypt your files.