- The developer of Redeemer malware released its new version Redeemer 2.0 with updated features on a dark web hacker forum.
- Redeemer 2.0 malware release was written entirely in C++ and works on Windows operating systems from Vista onward.
- The downloading of the malware is free and easy for everyone to use.
In a recent review of hacker forums, Cyble Research Labs came across an author “Cerebrate” advertising ransomware called “Redeemer”. While the author stated that the ransomware was free of charge to use, in case a victim accepts to pay the ransom, a 20% share of the total amount is requested.
Works only on Windows
Earlier this month, Cerebrate, the developer of Redeemer malware, released its new version Redeemer 2.0 with updated features on a dark web hacker forum. In its post, Cerebrate stated that Redeemer is coded in C++. The author made the Redeemer package accessible on Dread, including the build.dat, decrypter, and affiliate toolkit files. Cerebrate added that the new version was very easy to use and deploy.

The ransomware was made to work only on Windows operating systems from Vista onward and has to be running as an administrator to infect the victim’s system. It features multi-thread support for performance and a medium AV detection rate. Anyone can download the Redeemer ransomware builder for free to operate their attacks. The author takes 20% of the fees in case of any victim pays the ransom. Then it shares a private build key for encryption and specifies email addresses for further communication. This key will also prevent the attackers to be tracked. Some of the new features of ransomware mentioned by the developer are;
- New affiliate toolkit with GUI (no dependencies)
- New decrypter with GUI (no dependencies)
- Modified ransom message
- Added the option of using XMPP Chat/Tox Chat/up to two emails for communication
- Added support for Windows 11
- Prevented the damaging of Windows Operating Systems in certain cases
- Added amount and campaign ID to the Redeemer executable and affiliate decryption process so the affiliate can see the requested amount/campaign ID
- Now all encrypted files have a new icon making it clear that they were encrypted
- Lots of small fixes
Cyble Labs researchers also observed that the ransomware generates a mutex upon execution to ensure that only one type of malware is running on the victim’s system. It exploits Windows APIs to launch itself with admin privileges. It copies itself into the Windows directory with legitimate file names, such as svchost.exe, calc.exe, etc., and executes itself as a new process by using the ShellExecuteW() API function.
Lastly, the researchers observed a similar rise in ransomware affiliate programs, where the ransomware developers expand selling/leasing their ransomware to affiliates for a piece of any ransom amount collected. They urge to take extreme safety measures to prevent ransomware attacks.