RED CRYPTOAPP: New Player in the Ransomware Ecosystem
NOTE: This is an initial report prepared only considering the leak site and victims listed. For a detailed investigation, the sample is required which is not yet made public.
RED CryptoApp is a new Ransomware Group that emerged in March 2024.
Note: We refer Red Ransomware Group as “Red CryptoApp” (due to its extension) as there is another Ransomware variant with same name “Red” that appeared in 2023. This could cause confusion among Researchers, sometimes clubbing both together.
Till now, they have published 11 Victims’ data on their Data Leak Site (DLS) with 1 announced victim (yet to release). Their DLS initially appeared on 29th March 2024 with the title “Wall of Shame”.
33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion
It is notable that, unlike other ransomware DLS, RED CryptoApp did NOT use a vanity Onion domain for their Leak Site.
If you observe the below image closely, you can see that the Group had kept the leak date as the same for all 11 victims -> 5th March 2024, which gives us a hunch that: The group might have kick-started their operations long back, but waited for a reasonable time to get the victim data published together which makes a notable impression among the Ransomware Community; gaining more attention.
Once infected, all the files are appended with .REDCryptoApp extension.
Upon investigating the victim files, it is found that the group had started to target its victims in mid-February 2024, as the Ransom Note dates back to 18th February 2024.
Hence, we can estimate that the group had started to ramp up its activities in early 2024, releasing its victim data leak in March 2024.
EXPLORING THE VICTIM PANEL
Victims of RED CryptoApp are provided a unique TOR URL to negotiate with the group. On navigating the unique URL; this page appears like this:-
The group had titled this page “Company Recovery” where the victim needs to provide a “Hash” (which is a unique ID for each victim) and solve the captcha to log into the chat window.
NOTE: Each company victim is provided with a 64-alphabetic code.
The necessary information for the victim is displayed on the left pane in the Chat Box.
Victim Name, Time-frame for Negotiation, Ransom Demand, Data Size, and Bitcoin Wallet Address are present for the victim. In this case, we can see the Ransom Demand of $5M to the undisclosed victim.
While analyzing the text in the right pane, it is found that: The text is AI-generated. This is concrete evidence to support the fact about the usage of AI tools by Ransomware Groups.
VICTIM ANALYSIS
Analyzing the victim’s information, we can deduce the following facts:-
>US is the most targeted country with a total count of 5 (ATTOW)
>Other targets include Denmark, India, Spain, Italy, Singapore and Canada
>Most targeted industries by RED CryptoApp are: Software and Manufacturing
>Other observed targeted sectors include: Education, Construction, Hospitality and IT
BREACH ANALYSIS
It was found that RED CryptoApp Group is using another dedicated TOR Domain to host leaked victims’ data apart from the main DLS.
As of now, there are about 11 Victims whose Data have been breached. The data is hosted on another TOR Domain:-
q7uspeblxi35hfd4jzy5evyz7ipjqtezww7giejgwpp5xdnjwxk5sdad.onion
All the victim’s data are in a folder named “Dataprojects” archived as ZIP along with the victim’s name.
RANSOM NOTE ANALYSIS
Let’s check the Ransom Note of RED CryptoApp Group to exfiltrate more information:-
Attention!
----------------------------
| What happened?
----------------------------
We hacked your network and safely encrypted all of your files, documents, photos, databases, and other important data with reliable algorithms.
You cannot access your files right now, But do not worry You can get it back! It is easy to recover in a few steps.
We have also downloaded a lot of your private data from your network, so in case of not contacting us these data will be release publicly.
Everyone has a job and we have our jobs too, there is nothing personal issue here so just follow our instruction and you will be ok.
Right now the key of your network is in our hand now and you have to pay for that.
Plus, by paying us, you will get your key and your data will be earse from our storages and if you want you can get advise from us too, in order to make your network more than secure before.
----------------------------
| How to contact us and get my files back?
----------------------------
The only method to decrypt your files and be safe from data leakage is to purchase a unique private key which is securely stored in our servers.
To contact us and purchase the key you have to get to the link below :
Onion Link :
http://33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion/XXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXX/login
Hash ID : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!Important! : This is a unique link and hash for your network so don't share these with anyone and keep it safe.
----------------------------
| How to get access to the Onion link ?
----------------------------
Simple :
1- Download Tor Browser and install it. (Official Tor Website : torproject.org)
2- Open Tor Browser and connect to it.
3- After the Connection, Enter the Onion Link and use your Hash ID to login to your panel.
----------------------------
| What about guarantees?
----------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free some small files from your network.
after the payment we will help you until you get your network back to normal and be satesfy.
Dear System Administrators,
Do not think that you can handle it by yourself.
By hiding the fact of the breach you will be eventually fired and sometimes even sued.
Just trust us we've seen that a lot before.
----------------------------
| Follow the guidelines below to avoid losing your data:
----------------------------
!Important!
-Do not modify or rename encrypted files. You will lose them.
-Do not report to the Police, FBI, EDR, AV's, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything.
-Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are smarter than us and they can trick us, but it is not. They usually fail. So speak for yourself.
-Do not reject to purchase, Exfiltrated files will be publicly disclosed.
It was found that the group had used a unique ransom note and was not found anywhere else. It can also be confirmed that the ransom is a human note (NOT AI-generated).
However, there is a portion of Ransom Note which was found in Maze Ransomware Note, back in 2020.
Dear System Administrators,
Do not think that you can handle it by yourself.
By hiding the fact of the breach you will be eventually fired and sometimes even sued.
Just trust us we’ve seen that a lot before.
The same note is found in this tweet, which belongs to Maze Ransomware Group.
From this, we can’t conclude whether this group is a spin-off of Maze Ransomware; but more evidence would help to co-relate both soon.
INFRASTRUCTURE ANALYSIS
It was found that the Red CryptoApp Group is using Apache servers to power their Data Leak Site (DLS).
33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion
The threat actors also tried to disable caching of response by setting the date Thu, 19 Nov 1981 08:52:00 GMT; a common method of threat actors.
By analyzing the modified data, it is found that this Ransomware DLS has been active since December 2023,
The Breach Domain is powered with the following configuration:-
Leak Site: q7uspeblxi35hfd4jzy5evyz7ipjqtezww7giejgwpp5xdnjwxk5sdad.onion
Server: Apache/2.4.58 running on Win64
From this, we can assume that the group primarily uses Windows Machines and an Apache Server.
CONCLUSION
From the victim list, we can assume that the group does have potential and would be coming up with more leaks.
It can be assumed that the group has been operational at least since December 2023.
Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The article is purely Individual Research and is attributed to Netenrich Research Blog. You can find the corporate version here.