RedEnergy A Ransomware Threat Targeting Energy and Telecom Sectors

RedEnergy A Ransomware Threat

RedEnergy, a highly advanced ransomware threat, has emerged in the wild with a focus on infiltrating energy utilities, oil and gas companies, telecommunications providers, and machinery sectors in Brazil and the Philippines via their LinkedIn pages.

Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis, the malicious software is capable of extracting sensitive information from various web browsers, allowing for the unauthorized transfer of data. Moreover, the malware incorporates diverse modules to execute ransomware activities.

The researchers emphasized that the primary objective is to combine data theft with encryption in order to cause extensive harm and devastation to the targeted victims.

The researchers have observed that the main objective of this attack is to combine data theft and encryption in order to cause maximum harm to the victims.

The attack begins with a multi-stage strategy called FakeUpdates (also known as SocGholish), which deceives users into downloading malware disguised as web browser updates.

What sets this attack apart is the utilization of legitimate LinkedIn pages to target victims. The website URLs redirect users to a fake landing page that prompts them to update their web browsers by clicking on the corresponding icon (such as Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera).However, this action leads to the download of a malicious executable file.

Once the breach is successful, the malicious binary serves as a channel to establish persistence, carry out the actual browser update, and deploy a data-stealing component that secretly gathers sensitive information and encrypts stolen files. As a result, the victims face the risk of potential data loss, exposure, or even the unauthorized sale of their valuable data.

RAT-as-a-Ransomware Emerges as New Category of Cyber Threats

Zscaler has reported the discovery of suspicious activities occurring through a File Transfer Protocol (FTP) connection, suggesting the potential exfiltration of valuable data to infrastructure controlled by threat actors.

During the final phase, the ransomware component of RedEnergy proceeds to encrypt the user’s data by adding the “.FACKOFF!” extension to each encrypted file, erasing existing backups, and leaving a ransom note in every folder.

Victims receive instructions to pay 0.005 BTC (about $151) to a designated cryptocurrency wallet mentioned in the note in order to regain access to their files. The combination of RedEnergy’s functions as a data stealer and ransomware represents an evolution in cybercrime tactics.

This development follows the emergence of a new category of ransomware threats known as RAT-as-a-ransomware, wherein remote access trojans like Venom RAT and Anarchy Panel RAT are equipped with ransomware modules to encrypt various file extensions.

The researchers emphasized the utmost importance of exercising caution when accessing websites, particularly those linked from LinkedIn profiles. They advised individuals and organizations to remain vigilant in verifying the authenticity of browser updates and to be cautious of unexpected file downloads, as these precautions are crucial for protection against such malicious campaigns.