According to Netenrich, a new ransomware group named Red CryptoApp has recently surfaced, making waves in the cybersecurity world with its unique approach to data leaks. The group, which emerged in March 2024, has already published data from 11 victims on its data leak site (DLS) and announced one victim. Unlike other ransomware DLSs, Red CryptoApp has opted not to use a vanity Onion domain, making it stand out from its peers.
Rakesh Krishnan, Senior Threat Analyst at Netenrich, provided insights into the operations of this new ransomware group. "Based on my investigation of the victim files, the group likely began to target its victims in mid-February 2024," Krishnan noted. He further added that the ransom note is dated February 18, 2024, suggesting that the group started to ramp up its activities in early 2024 and leaked victim data in March 2024.
The ransomware appends all infected files with a .REDCryptoApp extension and provides victims with a unique TOR URL to negotiate with them. The victim login panel, titled "Company Recovery," prompts victims to provide their unique "Hash" ID and solve a captcha to access the chat window. The chat panel displays essential victim information, including the ransom demand, which, in one case, is as high as $5 million.
An intriguing aspect of Red CryptoApp is its use of AI-generated text in its communications, serving as concrete evidence that ransomware groups are increasingly leveraging AI tools. The victim analysis reveals that the United States is the most targeted country, with the software and manufacturing industries being the primary targets.
The Red CryptoApp group maintains two TOR domains, one for hosting leaked victim data and the other for breached data. All victim data is archived as ZIP files in a folder named "Dataprojects." The ransom note used by the group is unique and not found elsewhere, although a portion of it was found in a Maze ransomware note from 2020. This raises questions about whether Red CryptoApp is a spin-off of Maze ransomware, but further evidence is needed to establish a connection.
The infrastructure analysis reveals that the group primarily uses a Windows machine and an Apache server to power its DLS. The breach domain has been active since December 2023, suggesting that Red CryptoApp has been operational for several months.
As the investigation continues, more leaks from Red CryptoApp are likely to surface. Krishnan concludes, "Analysis of the victim list suggests Red CryptoApp has been operational since at least December 2023. The group has potential and may likely announce more leaks." This ongoing story serves as a reminder of the evolving threat landscape and the importance of robust cybersecurity measures to protect against ransomware attacks.