A threat actor named “Cerebrate” released the Redeemer ransomware on an underground forum for free and promoted a new version in hacking forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks.
According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AntiVirus detection rate.
During a recent review of underground hacking forums, security researchers came across a threat actor going by the handle “Cerebrate” advertising a piece of ransomware called “Redeemer”. Cerebrate had initially released this piece of ransomware on the underground hacking forum Dread in or around June 2021. Notably, the actor had released the malware-free for download.
Anyone can download and use the Redeemer ransomware builder to launch their attacks. However, when a victim decides to pay the ransom, the author receives 20% of the fees and shares the master key to be combined with the private build key held by the affiliate for decryption.
As seen in the builder, the attacker can specify the amount of the ransom as well. The developer states that the ransomware is a FUD (Fully Undetectable), but does not specify which AntiVirus it can successfully evade. Another note is that the developer recommends that an attacker should first gain remote access to the victim to disable the anti-virus software. It is also important to note that Redeemer does indeed delete itself after execution, furthermore, it will not execute if it detects another version of Redeemer on the victim machine. Redeemer also deletes system logs to mask the attacker.
The author says the project will go open-source if they lose interest, which is precisely what happened with Redeemer 1.0 back in June 2021, when the threat actor publicly released its source code.
Creators of this dubious Redeemer Ransomware will ask you to pay ransom fees in Monero because it could not be traced and they will also give you some time for transferring the money and threatens to delete your decryption key if you don’t pay the money within the given period. It is all an elaborate plan of hackers to scare them and force them into paying ransom money without looking for any other option to recover their data. Makers of Redeemer Ransomware do not care about your files and they might not even reply to you after getting the money.
Redeemer appends the “.redeem” extension, for example, it renames a file named “1.jpg” to “1.jpg.redeem“, “2.jpg” to “2.jpg.redeem“, and so on. As its ransom note, Redeemer creates the “Read Me.TXT” text file (it creates its ransom note in all folders containing encrypted files).
Before encryption, the malware abuses Windows commands to clear the event logs and delete shadow copies and any system state backups, preventing easy/free restoration.
If Cerebrate continues to promote the ransomware and updates the features regularly, then it has the potential to become a commonly used ransomware in the free ransomware series.