Redeemer Ransomware 2.0 Released on Dark Web Forums

Hacker Typing on a Keyboard

A well-known hacker has been pushing a new and even more sinister version of his commission-based ransomware “Redeemer” on dark web forums, researchers at cyber intelligence firm, Cyble, said in a blog post on Wednesday.

This Redeemer 2.0 campaign differs from most Ransomware-as-a-Service (RaaS) operations in that it’s free to use and accessible to anyone — allowing lesser-skilled cybercriminals to enter the ransomware racket in exchange for a cut of profits.

Redeemer 2.0, “Easy to Use and Deploy”

Researchers at the Australia-based Cyble announced their findings on the new affiliate program earlier this week. Redeemer 2.0 is an unusual ransomware software program because it can be downloaded as a ZIP file by anyone via dark web cybercrime forums. It also comes complete with instructions and is configured to launch customized attacks.

With the surge of dark web ads offering up corporate network access, even the most unskilled hacker could run successful ransomware campaigns — particularly on already vulnerable entities such as small businesses or healthcare.

First released in June 2021, Redeemer supports Windows 11, includes a ransomware campaign ID tracking system, and even ways for users to communicate with the program’s creator, “Cerebrate.” Redeemer, by design, also sends a 20% commission from ransoms to the author.

“I’ve been running my ransomware for about 1 year now on Dread mostly and a lot of people have earned serious money by using my software,” Cerebrate stated as he promoted his product in a dark web forum post.

How Redeemer Operates

Researchers at Cyble noted that the new version of Redeemer abuses Windows functions and services and deletes all system backups to successfully take files ransom by encrypting or locking them. Once this is done, the victim is met with a “Your Data Is Encrypted” blue screen that includes an explanation of what is taking place.

Meanwhile, encrypted system files’ icons will be replaced with the Redeemer logo. System files can only be decrypted — or unlocked — when the victim pays a ransom fee in the Monero cryptocurrency. This is done via an Onion (accessible by Tor) address provided by the software.

The author takes the 20% “decryption fee,” once a ransomware attack on a victim’s system is successful. Once the fee is paid, the author sends the “Redeemer Master Key” to the client. This key, along with the included decrypter.exe, allows victims to unlock their files.

The author justifies this fee by promising protection and future updates to the software. Furthermore, all communications between client and Cerebrate take place either via the dark web (BreachForums and Dread) or via “Tox Chat.”

Cyble noted that Redeemer can cause loss of valuable data such as financial data, and sensitive business information, and ultimately destroy an organization’s reputation and integrity.

‘Uptick’ in Hacker Chats

Whether Redeemer is going to be used in high-profile cyber attacks is yet to be seen, but author Cerebrate’s hinting at releasing the software as shareable open-source code to the community may mean we see several implementations of it in the future.

Cyble has also noted that there is an uptick in cybercriminal communications on unregulated platforms, mostly “through Telegram channels and cybercrime forums where TAs [threat actors] sell their products.”

The company also observed an upward trend in ransomware affiliate programs. Ransomware developers “are increasingly selling or leasing their ransomware to affiliates for a portion of any ransom amount collected,” Cyble added.

Cyble’s Tips on Avoiding Ransomware

Cyble has listed essential cybersecurity best practices that will aid as the first line of defense against ransomware like Redeemer. The company recommends users conduct regular offline backups, set all systems to be automatically updated, use premium antivirus programs, and avoid opening suspicious links and email attachments without verifying them first.

Should you find that you have become a victim of a ransomware event, detach all infected devices on your network, disconnect external storage immediately and inspect system logs.

For regular users, it is always a good idea to have a powerful antivirus program running 24/7 in the background on your devices. It is also a good idea to protect your network traffic with a Virtual Private Network (VPN).

For these reasons, many users opt to get antivirus programs with a built-in VPN. For more information about protecting yourself from common first-stage attacks of ransomware, read our guide on how to recognize and avoid dangerous phishing emails.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.