Politically motivated hacktivist groups, including Ikaruz Red Team, are using leaked ransomware builders to target Philippine entities and gain attention. IRT is closely affiliated with Turk Hack Team and Anka Underground, and it co-opts government branding and Hack4Gov imagery to amplify their messages. #IkaruzRedTeam #LockBit #TurkHackTeam #AnkaRedTeam #AnkaUnderground #Hack4Gov #CERT-PH
Keypoints
- IRT shifted from defacements and nuisance attacks to small‑scale ransomware campaigns using leaked tools.
- Attacks have targeted Philippine entities and involved repurposing LockBit payloads with modified ransom notes and icons.
- IRT maintains a social media and public‑facing presence to claim and publicize attacks, signaling a political motive.
- Co-option of Hack4Gov imagery and branding ties into broader hacktivist activity around government and cybersecurity in the Philippines.
- The group links with Anka Red Team and Turk Hack Team, indicating a wider hacktivist ecosystem beyond a single actor.
- Openly available leaked ransomware builders and ready-to-go scripts are enabling less sophisticated actors to cause disruption.
MITRE Techniques
- [T1587] Acquire Capabilities – Used leaked LockBit builders to launch small-scale ransomware attacks; ‘launching small-scale ransomware attacks with leaked LockBit builders.’
- [T1027] Obfuscated/Compressed Files and Information – Packaged as self-extracting RAR files with a custom IRT .ico file; ‘This bundled .ico file is meant to replace the stock LockBit icon resource on encrypted files.’
- [T1036] Masquerading – Ransom notes follow the original LockBit template with the top line altered to show ‘Ikaruz Red Team’; ‘ransom notes use the original LockBit template almost entirely intact with the exception of the top line, where the LockBit ransomware name is replaced by ‘Ikaruz Red Team’’; ‘Modifying the config.json file prior to building the LockBit payloads allows for this simple modification within the ransom notes.’
- [T1486] Data Encrypted for Impact – Encrypts files across local and mounted volumes; ‘The ransomware will then rapidly traverse available local and mounted shared volumes, encrypting applicable files and data.’
Indicators of Compromise
- [SHA1] ransom note – 133388ea2bd362993198bba461c7273a2a3af1ec, 2454820aef7c6289af85758df89976718013a5a4, and 8 more hashes
- [SHA1] webshell (github) – 41b2e3f0ddb3ceef2cddb09ca9edf4334461720c
- [SHA1] lb3.exe – a379e55be365ece1ca2b8f72b6c54bb8b5bfe4e9
- [SHA1] RED.ico – 8596a6bb124e56f6d545b77e74c3b23f6f578f55
- [SHA1] test.php – 5b830b5d5577ad8186e9ba4f7fdeee0b32c535e3
- [SHA1] LockBit 3.0 (Ikaruz Red Team) – b65183cc886185a8c34860f68d3289d8e9dd84e3