New Red Ransomware Group Discovered

Red Ransomware Threat Actor Description
Red Ransomware is a new threat actor that targets companies around the world

In March 2024, threat analysts detected a new ransomware group, called Red Ransomware. The group, which began its activities during the waning days of prominent groups such as Lockbit and ALPHV, has quickly established a presence in cyberspace.

Who is Red Ransomware?

Red Ransomware, also known as Red CryptoApp, first revealed itself on March 5, 2024, immediately drawing attention to their activities by publishing the data of 11 victims on a Darknet leak site they called “Wall of Shame”. The original research uncovers the use of classic extortion techniques, but with utilization of modern technological approaches, including AI for negotiation. The ransomware group shows a high degree of premeditation by publishing the data of all victims at the same time. This is believed to have been done shortly to increase psychological pressure on future targets.

Red Ransomware Wall of Shame
Wall of Shame with 11 victims
(All victim data is stored in a “Dataprojects” folder archived in ZIP format along with each victim’s name.)

The ransom note used by the Red CryptoApp group:

Ransom note used by the Red CryptoApp

Victims of Red Ransomware

The profile of Red Ransomware victims shows that they select their targets from specific sectors and countries, suggesting a specific target selection strategy. The main victims are businesses from the United States, from a whole pack of different economic sectors, including educational and legal. Aside from the US companies, hackers also listed victims from Canada, Singapore, Mexico, Spain, Italy, India, and Denmark.

Victims of Red Ransomware

How does Red Ransomware work?

The Red Ransomware group uses a number of techniques to hack into and control targeted systems. Each attack is a serious threat to organizations in various industries.

Initial Access

Red Ransomware begins its attack by infecting systems using phishing emails or exploiting vulnerabilities in software. All user files get a new extension .REDCryptoApp and cannot be accessed without a special key. Imagine that in an instant all your data is encrypted and inaccessible.

Target audience

Red Ransomware covers a wide range of targets, including countries such as the United States, Canada, Singapore, Mexico, Spain, Italy, India and Denmark. So far information technology, legal services, hospitality, transportation, manufacturing, education, electronics, and retail are the main targets. However, this hints that the group selects victims where maximum financial gain can be achieved.

Victim negotiation

To contact victims, a unique URL is provided on the TOR network for ransom negotiations. The interface for communication is well designed. There is a login panel where victims enter a unique hash code to access a chat window for negotiation. And for confirmation, you have to solve a captcha to get through to the chat.

Victim negotiation
Login panel

Use of AI

Also, communicating with victims is like talking to a well-tuned bot. Apparently, they’re using AI to automate communication. This allows them to dialog with multiple victims at the same time.

AI-generated messages
AI Content Identifier

New Red Ransomware Group Discovered

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *