October 3, 2023

Security researchers have spotted a new strain of ransomware called RedEnergy Stealer, posing a significant threat to critical infrastructure systems worldwide.

Its high sophistication lead to infiltrate critical infrastructure sectors, including energy, transportation, and industrial control systems, caught the attraction. It exploits vulnerabilities, often leveraging compromised supply chain channels and sophisticated social engineering techniques to gain access, and then it spreads swiftly, encrypting sensitive data and paralyzing crucial systems.

Stealer-as-a-Ransomware is an alarming advancement in ransomware attacks, as it combines the functionalities of both data stealing and ransomware. This sophisticated malware utilizes obfuscation techniques and employs HTTPS for C2 communication, making it difficult to detect and analyze.


RedEnergy Stealer employs advanced evasion techniques to bypass traditional security measures, making it particularly challenging to detect and mitigate. The malware operates by stealing critical information, such as login credentials, financial data, and intellectual property, before deploying the ransomware payload. This dual approach of data theft and encryption intensifies the pressure on victims to comply with the attackers’ demands

As researchers documentation, reveals a well-orchestrated operation targeting organizations worldwide. The attackers behind this strain have demonstrated a deep understanding of the targeted industries, tailoring their attacks to exploit sector-specific vulnerabilities. The energy sector has experienced a surge in attacks, with several high-profile incidents resulting in disruptions to power grids and oil refineries.

Operation Stages

  • The attackers employ multi-stage techniques, disguising the malware as browser updates to deceive users who click on links from LinkedIn. 
  • It uses obfuscation techniques and communicates via HTTPS for C2 purposes, making it difficult to detect and analyze. It operates through multiple stages, starting with the execution of disguised malicious executables. 
  • It establishes persistence, communicates with DNS servers, and downloads additional payloads from remote locations. Suspicious FTP interactions suggest potential data exfiltration and unauthorized file uploads.
  • In the final stage, the malware eradicates shadow drive data and Windows backup plans, further solidifying its ransomware characteristics. A batch file and a ransom note are left behind, demanding payment in exchange for file decryption.

The discovery of suspicious FTP interactions raises further concerns about potential data exfiltration and unauthorized file uploads. The malware’s ransomware modules are responsible for encrypting user data using the “.FACKOFF!” extension, rendering it inaccessible until a ransom is paid. Additionally, the alteration of the desktop.ini file enhances the malware’s ability to evade detection and manipulate file system folder display settings.


Security experts warn that the implications of a successful RedEnergy Stealer attack on critical infrastructure are severe. The potential consequences range from significant economic losses, due to disrupted operations, to potential threats to public safety and national security. The urgency to address this escalating threat cannot be understated, as attackers continue to refine their tactics and evade existing security measures.

Governments, organizations, and cybersecurity experts are now collaborating to develop proactive strategies to defend against the RedEnergy Stealer ransomware. This includes bolstering security frameworks, enhancing incident response capabilities, and investing in threat intelligence sharing across industries. Heightened awareness and ongoing education efforts are also crucial to mitigate the risk of falling victim to such targeted attacks.


As technology evolves, so do the tactics employed by malicious actors. It is essential for organizations to remain vigilant, continuously update their security protocols, and invest in robust cybersecurity measures to safeguard critical infrastructure and protect against emerging threats like RedEnergy Stealer.

TTP Details

T1036Defense EvasionMasquerading
T1185CollectionBrowser Session Hijacking
T1070.006Defense EvasionTimestomp
T1560CollectionArchive Collected Data
T1027Defense EvasionObfuscated Files or Information
T1562.001Defense EvasionDisable or Modify Tools

Indicators of Compromise

  • fb7883d3fd9347debf98122442c2a33e
  • www[.]igrejaatos2[.]org/assets/programs/setupbrowser[.]exe
  • cb533957f70b4a7ebb4e8b896b7b656c
  • 2no[.]co
  • 642dbe8b752b0dc735e9422d903e0e97

Leave a Reply

%d bloggers like this: