Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit

Politically-motivated hacktivist groups are increasingly using ransomware to disrupt targets and draw attention to their causes. Notably, the Ikaruz Red Team, along with aligned groups like the Turk Hack Team and Anka Underground, have been leveraging leaked ransomware builders in their recent attacks. These groups have targeted entities in the Philippines, conducting defacements, small-scale DDoS attacks, and ransomware attacks, and have hijacked branding and imagery from the government’s Computer Emergency Response Program (CERT-PH).

Ikaruz Red Team, previously known for web defacements, is now engaged in small-scale ransomware attacks using modified LockBit 3 ransomware payloads. They have been distributing these payloads and advertising data leaks from various organizations in the Philippines. Their ransom notes are almost identical to the original LockBit templates, with minor modifications. The group has also used other ransomware families such as JellyFish, Vice Society, ALPHV, BianLian, 8base, and Cl0p. These attacks are part of a larger trend of hacktivist activities targeting the Philippines amid rising regional tensions, particularly with China. Over the past year, the Philippines has seen an increase in hacktivist campaigns, with groups like Robin Cyber Hood, Philippine Exodus, Cyber Operations Alliance, and Philippine Hacking University engaging in ransomware attacks, misinformation campaigns, and espionage.

Security Officer Comments:
Ikaruz Red Team is closely associated with Anka Red Team and Turk Hack Team, the latter being a pro-Hamas collective known for website defacements and DDoS attacks. Since the onset of the Israel-Hamas war, Turk Hack Team has gained increased notoriety. Ikaruz Red Team has also co-opted imagery and branding from the Philippine Department of Information and Communications Technology’s Hack4Gov challenge in their defacements and social media profiles, possibly to mock the government’s cybersecurity efforts or to cloak their activities behind official-looking icons.

Active on various social media platforms and forums, Ikaruz Red Team uses aliases like “IkaruzRT” and “Ikaruz Reignor” to engage with their audience and promote their political causes. Their social media activities include claiming responsibility for attacks and advertising data leaks, furthering their goal of causing disruption and drawing attention. The rise in politically-motivated attacks targeting the Philippines, facilitated by the availability of leaked ransomware builders, indicates a broader movement of hacktivist groups seeking to destabilize the region amid geopolitical tensions.

Suggested Corrections:
The rise in politically-motivated attacks targeting the Philippines, facilitated by the availability of leaked ransomware builders, indicates a broader movement of hacktivist groups seeking to destabilize the region amid geopolitical tensions.

Backup your data, system images, and configurations, regularly test them, and keep the backups offline:** Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly:** This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan:** There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work:** Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks:** There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees:** Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.