{"id":15667,"date":"2023-07-04T13:10:28","date_gmt":"2023-07-04T13:10:28","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=15667"},"modified":"2024-12-20T23:44:17","modified_gmt":"2024-12-20T23:44:17","slug":"redenergy-stealer-as-a-ransomware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/redenergy-stealer-as-a-ransomware\/","title":{"rendered":"RedEnergy Stealer-as-a-Ransomware On The Rise"},"content":{"rendered":"

Researchers have discovered a new form of malware called RedEnergy Stealer. It is categorized as Stealer-as-a-Ransomware<\/strong> but is not affiliated with the Australian company Red Energy.<\/p>\n

A malware called RedEnergy stealer uses a sneaky tactic to steal sensitive data<\/strong> from different web browsers. Its fundamental spreading way circulates fake updates \u2013 pop-ups<\/a> and banners that bait the user to install what appears to be the malicious payload. RedEnergy also has multiple modules that can carry out ransomware activities<\/strong>. Despite using common method names, the malware has kept its original name. RedEnergy is classified as Stealer-as-a-Ransomware because it can function as a stealer<\/a> and ransomware.<\/p>\n

\"What
Detection names on VirusTotal site<\/figcaption><\/figure>\n

What is RedEnergy Malware?<\/h2>\n

RedEnergy is a malware designed to appear as a legitimate browser update<\/strong>, tricking users into downloading and installing it. It imitates well-known browsers like Google Chrome, Microsoft Edge, Firefox, and Opera, and once triggered, it deposits four files (two temporary files and two executables) onto the targeted system. One of these files contains a malicious payload and initiates a background process<\/strong>. The load displays an insulting message to the victim once executed.<\/p>\n

\"RedEnergy
RedEnergy Infection chain<\/figcaption><\/figure>\n

Also, RedEnergy is malicious software that remains on an infected system even after restart<\/strong> or shutdown. This allows it to continue its harmful activities uninterrupted. As part of its operation, it also encrypts the victim’s data and adds the “.FACKOFF!<\/strong>” extension to all the encrypted files. It then demands payment from the victim to restore access to the files through a ransom message (“read_it.txt<\/strong>“) and changes the desktop wallpaper.<\/p>\n

\"Encrypted
Encrypted files with .FACKOFF! extension<\/figcaption><\/figure>\n

One of the things that the ransomware does is delete data from the shadow drive, which means that any backups are erased. In addition, the malicious software changes the desktop.ini<\/code> file, which contains basic settings for file system folders<\/strong>. By doing this, RedEnergy can alter the appearance of the folders, making it easier to hide its activities on the system. Lastly, RedEnergy can also steal data from different web browsers, potentially giving it access to personal information<\/strong>, login details, financial data, online activities, session-related information, and other essential data.<\/p>\n

Threat Summary<\/h3>\n
\n\n\n\n\n\n\n\n\n
Name<\/strong>\n <\/td>\nRedEnergy Stealer-as-a-Ransomware\n <\/td>\n<\/tr>\n
Threat Type<\/strong>\n <\/td>\nInformation stealer, ransomware\n <\/td>\n<\/tr>\n
Encrypted Files Extension<\/strong>\n <\/td>\n.FACKOFF!\n <\/td>\n<\/tr>\n
Ransom Demanding Message<\/strong>\n <\/td>\nread_it.txt\n <\/td>\n<\/tr>\n
Cyber Criminal Contact<\/strong>\n <\/td>\ngeorger1212@proton.me\n <\/td>\n<\/tr>\n
Ransom Amount<\/strong>\n <\/td>\n0.005 BTC\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

How does RedEnergy Malware work?<\/h2>\n

This threat campaign uses a deceitful redirection technique to trick users<\/strong>. When users try to access the targeted company’s website through their LinkedIn profile, they are unknowingly sent to a malicious website<\/strong>. On this website, they are asked to download what seems like a legitimate browser update, presented as four different browser icons. However, this is a trap, and the unsuspecting user downloads an executable file called RedStealer instead of an actual update.<\/p>\n

\"How
Example of Malicious download site<\/figcaption><\/figure>\n

A deceptive threat campaign uses a misleading download domain<\/strong> called www[.]igrejaatos2[.]org<\/code>. The domain appears as a ChatGpt site, but it’s counterfeit and aims to trick victims into downloading a fake offline version of ChatGpt. Unfortunately, the zip file contains the same malicious executable<\/strong> as before, and victims unknowingly acquire it upon downloading.<\/p>\n

\"RedEnergy<\/a><\/p>\n

How to avoid installation of RedEnergy Malware?<\/h2>\n

Individuals and organizations must exercise extreme caution when accessing websites<\/strong>, particularly those linked to LinkedIn profiles. Verifying browser updates’ authenticity and being wary of unexpected file downloads<\/strong> are paramount to protecting against such malicious campaigns.<\/p>\n

To prevent negative consequences, there are several essential steps to take:<\/p>\n

    \n
  • Updating your operating system and software regularly.<\/li>\n
  • Essential to be cautious when dealing with email attachments or suspicious links, especially from unknown sources.<\/li>\n
  • Consider using reliable antivirus or anti-malware software to provide extra protection and conduct regular system scans.<\/li>\n
  • Avoid downloading files from untrusted websites and be wary of pop-up ads or misleading download buttons that may contain harmful content.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    Researchers have discovered a new form of malware called RedEnergy Stealer. It is categorized as Stealer-as-a-Ransomware but is not affiliated with the Australian company Red Energy. A malware called RedEnergy stealer uses a sneaky tactic to steal sensitive data from different web browsers. Its fundamental spreading way circulates fake updates \u2013 pop-ups and banners that […]<\/p>\n","protected":false},"author":7,"featured_media":15687,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15,17],"tags":[28,55,1360],"class_list":{"0":"post-15667","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"category-labs","9":"tag-malware","10":"tag-ransomware","11":"tag-stealer"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/07\/GS_Blog_banner_RedEnergy-Stealer-as-a-Ransomware_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/15667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=15667"}],"version-history":[{"count":24,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/15667\/revisions"}],"predecessor-version":[{"id":28884,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/15667\/revisions\/28884"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/15687"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=15667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=15667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=15667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}