Over the past few weeks, FortiGuard Labs has observed several new ransomware variants of interest that have been gaining traction within the OSINT community, along with activity from our datasets. This isn’t a new phenomenon. This is part of a pattern of behavior that dates back several years—a pattern that is likely to continue for some time to come.
Ransomware infections continue to have a significant impact on organizations, including—but not limited to—disruptions to operations, theft of confidential information, monetary loss due to ransom payout, and more. It’s why we feel it's imperative that we increase our efforts to raise awareness about existing and emerging ransomware variants.
This new Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against these variants.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
This latest edition of the Ransomware Roundup covers the Redeemer, Beamed, and Araicrypt ransomware families.
Redeemer is a ransomware variant that was first discovered in June 2021. It encrypts files on a compromised machine and demands a ransom in Monero cryptocurrency (XMR) to decrypt the affected files. As of this writing (July 29, 2022), there are four public versions of Redeemer ransomware; versions 1.0, 1.5, 1.7, and 2.0. This indicates that the Redeemer threat actors have been applying constant effort to improve the ransomware.
Files encrypted by Redeemer ransomware typically have a “.redeem” file extension. The malware also leaves a ransom note in Read Me.TXT.
Redeemer has its own web page on TOR that provides instructions on how to use the Redeemer ransomware and toolkit. The instructions are broken down into six sections.
As previously mentioned, the decryption fee is currently set at 20%, giving affiliates 80% of the profit. The developer also provides a Tox chat address to communicate with affiliates.
Fortinet Customers running the latest (AV) definitions are protected against known Redeemer ransomware variants by the following signatures:
Beamed is ransomware that encrypts files on a compromised machine and demands that victims pay a ransom in Bitcoin for file decryption. Encrypted files have a “.beamed” file extension. It leaves a ransom note in “RIP YO DOCUMENTS.txt”, which contains the attacker’s Bitcoin address. The ransom fee is set at $200 worth of Bitcoin. As of this writing, no transaction has been observed in the Bitcoin wallet.
Fortinet Customers running the latest (AV) definitions are protected against known Beamed ransomware variants by the following signature:
Araicrypt appears to be a variant of the Thanos ransomware family that encrypts files on a victim’s machine. It leaves a ransom note in “READ_TO_RESTORE_YOUR_FILES.txt”. In the ransom note, Araicrypt claims to have deleted shadow copies, which makes file recovery difficult. It also claims to have stolen information from the victim, who is given 48 hours to contact the attacker via email. The attacker threatens to publish the stolen data if the victim fails to make contact. Files encrypted by Araicrypt ransomware have a “.araicrypt” file extension.
Fortinet Customers running the latest (AV) definitions are protected against known Arai ransomware variants by the following signatures:
Ransomware victims are cautioned against paying ransom by organizations such as CISA, NCSC, the FBI, and HHS, partly because payment does not guarantee that files will be recovered. Ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal, according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory. The FBI has a Ransomware Complaint page, where victims can submit samples of ransomware activity via the Internet Crimes Complaint Center (IC3).