Ransomware attacks launched by the Ikaruz Red Team using LockBit Builder

Cyberpunks manipulate ransomware as it allows them to extort money from targets by encrypting their data and requesting a ransom for its liberation. At the same time, this technique is highly lucrative and usually challenging to draft back to the perpetrators.

Sentinel One investigators just found that Hacktivist companies like Ikaruz Red Team increasingly utilize ransomware for trouble and to draw awareness to political reasons. Leveraging informed builders, the Ikaruz Red Team and aligned groups like Turk Hack Team and Anka Underground have just executed attacks against Philippine marks, hijacking branding from the nation’s CERT-PH.

LockBit Builder used by Ikaruz Red Team

During its span between 2023 and the present, the Ikaruz Red Team (IRT) has been implicated in defacing websites, DDoSing them, and is now pushing into ransomware as part of a broader wave of hacktivism happening in the region. This also contains groups like Robin Cyber Hood and Philippine Exodus which have brought out ransomware, disinformation, and espionage movements in line with escalating China stresses due to the Philippines’ strategic role. Within this context, IRT claims links with the pro-Hamas Anka Red Team and Turk Hack Team. 

While it was earlier engaged in destructions as its primary attack vector, this company began operating small-scale ransomware attacks based on revealed LockBit builders for that purpose where they transformed the ransom messages but not the elements of negotiations showing trouble preferably than economic reasons. Since January 2023, numerous hacks by IRT, utilizing LockBit, JellyFish, and Vice Society, among others, have been asserted against several Philippine associations.

The IRT payload bundles a custom .ico file meant to substitute LockBit’s icon but has a mistake referencing the needed RED.png file, SentinelOne stated. When performed, it extracts and embarks LockBit (lb3.exe), rapidly encrypting files with a .Uc2RrigQ stretching and falling matching ransom messages. 

IRT co-opts Philippine nation CERT-PH and Hack4Gov CTF imagery or branding, possible to mimic cybersecurity actions or cloak hostile moves. Working under aliases like “IkaruzRT” and “Ikaruz Reignor” across mediums like BreachForums and GitHub, IRT declares alliance with Anka Red Team, Anka Underground, and pro-Hamas Turk Hack Team.

It publicized breaches like Yakult Philippines while advancing political reasons. Social media presence contains advertising information leaks from Philippine targets between August 2023 and January 2024. Ikaruz Red Team suits into a bigger hacktivist campaign executing rough yet destructive Philippine attacks, potentially part of growing regional pressures with China desiring to destabilize necessary infrastructure.