Redeemer 2.0 being distributed via Affiliate Program
Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.

In June 2021, the developer behind Redeemer released the ransomware builder on an underground forum.
As specified by the developer, the ransomware is free to use. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero).
Earlier this month, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features.
Some of the new features of ransomware mentioned by the developer are:
- New affiliate toolkit with GUI (no dependencies)
- New decrypter with GUI (no dependencies)
- Modified ransom message
- Added the option of using XMPP Chat/Tox Chat/up to two emails for communication
- Added support for Windows 11
- Prevented the damaging of Windows Operating Systems in certain cases
- Added amount and campaign ID to the Redeemer executable and affiliate decryption process so the affiliate can see the requested amount/campaign ID
- Now all encrypted files have a new icon making it clear that they were encrypted
- Lots of small fixes
The available Redeemer package includes the build.dat, decrypter, and the affiliate toolkit, as shown below.

Ransomware Builder: Redeemer
The Redeemer affiliate toolkit’s “build” option allows TAs to generate a private build key for encryption and specify email addresses for further communication.
While building the ransomware binary, the TAs can also mention the campaign ID, the ransom amount (in Monero), etc.
The build file only executes in a Windows operating system and must be run as an administrator to infect the victim’s system.
The below figure shows the options to build the ransomware executable.

To decrypt the victim’s encrypted files, the Redeemer tool will generate the affiliate key by using Redeemer public key sent by the victim and the private build key generated earlier while compiling the ransomware binary, as shown below.

As per the developer’s instructions, after generating the Redeemer affiliate key, the TA/Affiliate can contact the Developer via Dread Forums or Tox chat to receive the Redeemer Master Key by paying the 20% of the ransom amount collected from victims.
Victims can decrypt their encrypted files after paying the ransom amount by using the Decrypter.exe from the package and the Redeemer Master Key from the developer.
The figure below shows the Redeemer ransomware process chain executed with administrator privileges.

Technical details
The sample hash (SHA256), 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776
generated using Redeemer builder was taken for this analysis.
Based on static analysis, we found that the ransomware is a console-based x32 bit executable written in C/C++, as shown below.

Upon execution, the ransomware initially creates a mutex named “RedeemerMutex” to ensure that only one instance of malware is running on the victim’s system.
After that, the malware creates a folder, copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe, etc., and executes itself as a new process by using the ShellExecuteW() API function.
Figure 7 shows the file and folder names used by the ransomware. The ransomware can use any of these names to copy itself into the victim’s machine.

The newly executed Redeemer process launches the Windows Event Utility commands listed below to clear the event logs before the encryption process to ensure no malware traces are left behind.
- C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
- C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
- C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
- C:\Windows\system32\cmd.exe /c wevtutil clear-log System
Additionally, the ransomware deletes the shadow copies, backup catalog, and system state backups by using the following commands:
- C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
- C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
- C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
Then, the ransomware adds ransom notes in the registry key value “LegalNoticeCaption” and “LegalNoticeText” under the Winlogon registry key to warn the victim of the ransomware infection during the system restart, as shown below.

Before encrypting the files, the ransomware kills a list of processes if they are actively running on the victim’s machine by using the command “cmd.exe /c taskkill /F /IM “executable name” >nul.”
The below figure shows the list of process names targeted by the ransomware.

Additionally, the ransomware stops the list of actively running services in the system using the command “cmd.exe /c net stop “service name” /y >nul.”
The below figure shows the list of services targeted by the ransomware by service name.

After stopping these services, the ransomware drops a file named “Redeemer.sys” (which is a PNG file) in the %programdata% location.
The ransomware then creates a DefaultIcon subkey for the redeemer extension and points it to the “Redeemer.sys” file that was dropped earlier. This operation changes the icons of the encrypted files.
Additionally, it adds a registry entry for showing an alert when these encrypted files are opened. The below figure shows the registry entries added by the ransomware.

The figure below demonstrates the ransom note dropped by the malware with the name “Read Me.TXT,” instructing victims to pay the ransom in exchange for the decryption tool.

After dropping the ransom note, the ransomware searches files and directories for encryption by enumerating them using the FindFirstFileW() and FindNextFileW() API functions, as shown in Figure 13. The ransomware uses CRYPTOGAMS OpenSSL Library for encrypting these files.

The below table shows the directory names, file names, and file extensions excluded by Redeemer ransomware during its encryption process.
Directory Names | File names | File extensions |
\Windows \system volume information \recovery \perflogs \programdata\microsoft \programdata\packages \programdata\softwaredistribution %ProgramW6432% | Read Me.TXT bootTel.dat desktop.ini bootmgr BOOTNXT BOOTSECT.BAK | .exe .dll .ini .lnk .url .redeem .sys |
Finally, the ransomware encrypts the files on the victim’s machine and appends the “.redeem” extension with the file name. It then proceeds to delete the ransomware file from the system, leaving only the encrypted files and the ransom note on the victim’s machine.
The encrypted files with the Redeemer icon are shown below.

Upon visiting the Onion link mentioned in the ransom note, it opens the Redeemer TA’s page in Dread forums and asks victims to submit a CAPTCHA to view TAs’ contact details.
The below figure shows the CAPTCHA page.

After entering the CAPTCHA, the victims are redirected to a page where they can see the TAs’ contact details, decryption fee payment information, Affiliate instructions, etc., as shown below.

Conclusion
Cyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without being subject to any regulation or oversight.
We have observed a similar rise in ransomware affiliate programs, where the ransomware developers are increasingly selling/leasing their ransomware to affiliates for a portion of any ransom amount collected.
We have encountered the Redeemer ransomware builder being distributed on one such underground cybercrime forum free of cost.
Cyble Research Labs will continue to monitor the Redeemer ransomware’s products and update our readers with any pertinent information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts And Cruciality of Redeemer 2.0 Ransomware
- Loss of Valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1204 | User Execution |
Discovery | T1012 T1082 T1083 | Query Registry System Information Discovery File and Directory Discovery |
Defense Evasion | T1027 T1070 | Obfuscated Files or Information Indicator Removal on Host |
Impact | T1486 T1489 T1490 | Data Encrypted for Impact ​ Service Stop Inhibit System Recovery |
Persistence | T1547 | Boot or Logon AutoStart Execution |
Indicator Of Compromise (IOCs)
Indicators | Indicator Type | Description |
56a13812819c8426941c9bd8b63d3a9f 9aa9290d337d68136030fc8182f7d499951a207e 4368f30798a1caa0a7b30735111e143068678a0547dfd38c050926619869c73a | MD5 SHA1 Sha256 | Affiliate Toolkit.exe |
4b01f0d2de0b557cd13e42a36b78894f b8a0d70e602684067b2dc5565a5f6a786fb298fa bf8f74a05e4a10ab893c73bc95ed16c3b5c6ffe6e257c098b33c04c3a893acb9 | MD5 SHA1 Sha256 | Decrypter.exe |
cd513de769a9c385b218306e7affc131 1a22bc573674186f234dd541b9fccaf938195b33 86bd9cdfdb425266c477544a5cf951fdc56733d46f1a7b44f8188168b5e2fb15 | MD5 SHA1 Sha256 | build.dat |
cd4b9ae02fdddfdb555ee45591deca4f e6f98d1666896c84279db4fb6af5c5e6d815bb75 1178e2b691fd266ccd29867acf134c855241b18b730b766da0ae69c53d4b9776 | MD5 SHA1 Sha256 | Build.exe |
Comments are closed.