The highly profitable method of ransomware attacks continues to plague victims as hackers exploit this technique to extort money by encrypting data and demanding a ransom for its release. This malicious practice is often challenging to trace back to the perpetrators, making it a favored tool for cybercriminals looking to make a quick buck.
Recently, cybersecurity researchers at Sentinel One uncovered a new trend where hacktivist groups, such as the Ikaruz Red Team, are increasingly turning to ransomware to disrupt and draw attention to political causes. These groups, including the Turk Hack Team and Anka Underground, have been using leaked builders to conduct attacks against targets in the Philippines, leveraging the branding from the government’s CERT-PH.
The Ikaruz Red Team, also known as IRT, has transitioned from defacing websites and launching DDoS attacks to carrying out ransomware attacks in the region. This shift is part of a broader wave of hacktivism that has been gaining momentum, particularly in areas of political tension like the Philippines’ strategic position in relation to China.
Other groups, such as Robin Cyber Hood and Philippine Exodus, have also been involved in ransomware, disinformation, and espionage campaigns that align with the escalating tensions between the Philippines and China. The IRT has ties to pro-Hamas groups like the Anka Red Team and Turk Hack Team, indicating a broader network of hacktivist organizations working together.
While the Ikaruz Red Team initially focused on defacements as its primary attack vector, they have now started using small-scale ransomware attacks based on leaked LockBit builders. These attacks are more about disruption than monetary gain, with the group changing ransom notes but not the negotiation details to emphasize their motives.
Since January 2023, the IRT has conducted multiple hacks using various ransomware strains, including LockBit, JellyFish, and Vice Society, targeting several organizations in the Philippines. The group’s payload replaces LockBit’s icon with a custom .ico file, but an error related to the required RED.png file has been identified by Sentinel One.
By co-opting imagery and branding from Philippine government cybersecurity entities, the IRT seeks to mock cybersecurity efforts and mask their malicious activities. Operating under aliases like “IkaruzRT” and “Ikaruz Reignor” on platforms like BreachForums and GitHub, the group claims affiliation with other hacktivist organizations and promotes their breaches and political causes.
Overall, the Ikaruz Red Team is part of a larger hacktivist movement that is carrying out damaging attacks in the Philippines, likely as a response to the growing tensions in the region. Their activities, while unsophisticated, pose a significant threat to critical infrastructure and national security.
In conclusion, as hacktivist groups like the Ikaruz Red Team continue to leverage ransomware for their political motives, it is crucial for organizations and governments to bolster their cybersecurity measures to protect against such attacks. By staying vigilant and ensuring robust security practices, entities can mitigate the risks posed by these malicious actors and safeguard their data and systems from potential harm.