Red Ransomware (Red CryptoApp) emerged in early 2024, publishing victim data on its “Wall of Shame” Data Leak Site (DLS) and signaling ongoing activity after initial targets. The group uses phishing and vulnerability exploitation for infection, encrypts files with a .REDCryptoApp extension, and negotiates via a TOR-based interface that even employs AI-generated chat for ransom communications. #RedRansomware #RedCryptoApp
Keypoints
- The Red Ransomware group surfaced in March 2024 and publicly disclosed 11 victims on its Data Leak Site (DLS), with a strategic delay in publishing data.
- Victimology shows a narrow, cross-border footprint across US- and non-US-based sectors (IT, Legal, Hospitality, Transportation, Manufacturing, Education, Electronics, Retail) and multiple countries including the US, Canada, Singapore, Mexico, Spain, Italy, India, and Denmark.
- Infection methods include exploiting vulnerabilities and phishing emails with malicious attachments, followed by file encryption that appends the .REDCryptoApp extension.
- Victims interact with the group through a unique TOR URL and a login panel labeled “Company Recovery,” using a hash ID and captcha to access a chat window; the group also uses AI-generated text in communications.
- Ransom demands have reached multi-million dollar levels, with at least one observed demand of $5 million.
- The latest high-profile victim involves Targus, with a related 8-K breach disclosure from B. Riley Financial, illustrating the real-world impact on organizations.
MITRE Techniques
- [T1566.001] Phishing: Attachment – Red Ransomware infects systems by phishing emails with malicious attachments. Quote: “phishing emails with malicious attachments.”
- [T1203] Exploitation for Client Execution – Infections occur by exploiting vulnerabilities. Quote: “exploiting vulnerabilities.”
- [T1486] Data Encrypted for Impact – After compromise, files are renamed with the .REDCryptoApp extension, rendering them inaccessible. Quote: “rendering them inaccessible.”
- [T1090] Proxy – Victims are directed to a unique TOR URL to facilitate negotiations. Quote: “unique TOR URL to facilitate negotiations.”
- [T1041] Exfiltration – Victim data was leaked on a Data Leak Site (DLS), notably the “Wall of Shame.” Quote: “leakage of victim data on its Data Leak Site (DLS)” and “Wall of Shame.”
Indicators of Compromise
- [URL/Domain] TOR-based negotiation URL – unique TOR URL for access to the negotiation panel (example: a unique TOR URL).
- [URL/Domain] Data Leak Site (DLS) – Wall of Shame page where victim data is published (example: Wall of Shame).
- [File] File extension – .REDCryptoApp used to mark encrypted files (example: .REDCryptoApp).
- [Malware/Family] Red Ransomware / Red CryptoApp – the threat family and alias used in communications and branding (examples: Red Ransomware, Red CryptoApp).
- [Victim/Organization] Targets and victims – Targus (and related 8-K disclosure by B. Riley Financial); (examples: Targus, B. Riley Financial).
Read more: https://socradar.io/dark-web-profile-red-ransomware/