Researchers Reveals Ikaruz Red Team’s Rising Threat to Philippine Cybersecurity

SentinelOne, a leading cybersecurity firm, has released a comprehensive report detailing the activities of the Ikaruz Red Team (IRT), a hacktivist group increasingly targeting the Philippines with ransomware and other cyberattacks. The report highlights IRT’s evolving tactics, motivations, and potential ties to geopolitical tensions in the region.

Ikaruz Red Team has been active in the Philippines, conducting attacks through various methods including defacements, small-scale DDoS attacks, and now, ransomware. These activities are part of a broader trend of hacktivist groups targeting the region amidst rising tensions with China. IRT is closely associated with other hacktivist groups like Turk Hack Team and Anka Underground (also known as Anka Red Team), which have similarly targeted entities in the Philippines.

Ikaruz Red Team icon file | Image: SentinelOne

In recent months, Ikaruz Red Team has conducted ransomware attacks using modified LockBit 3 ransomware payloads. They have been distributing these payloads and advertising data leaks from various organizations in the Philippines. The group’s ransomware notes are almost identical to the original LockBit notes, with the name changed to “Ikaruz Red Team.” This modification suggests that IRT’s primary motivation is to cause disruption and gain attention, rather than engage in typical ransomware operations like victim negotiations.

IRT’s attacks typically involve distributing ransomware payloads via self-extracting RAR files. These payloads include the LockBit 3.0 executable, which encrypts files on the target’s system. The encrypted files are given a unique extension, and the desktop wallpaper is changed to display instructions for the ransom note.

DICT Hack4Gov 2023 videos on YouTube | Image: SentinelOne

In their efforts to draw attention, Ikaruz Red Team has also co-opted imagery and branding from the Philippine government’s Hack4Gov challenge. This challenge, started in 2023, is a government-sponsored cybersecurity competition aimed at building the country’s cybersecurity capacity. IRT has incorporated this imagery into their defacements and social media profiles, possibly to mock the government’s cybersecurity efforts or to cloak their activities behind official-looking iconography.

Ikaruz Red Team is active on various social media platforms under aliases like “IkaruzRT” and “Ikaruz Reignor.” They use these platforms to engage with their audience and promote their political causes. The group’s social media postings often advertise data leaks and breaches, with profiles on forums like BreachForums and Zone-Xsec.

The activities of Ikaruz Red Team are part of a larger movement of hacktivist groups targeting the Philippines. These groups, including PHEDS, Robin Cyber Hood, and Cyber Operations Alliance, have been increasingly destructive in their attacks, ranging from government data breaches to ransomware campaigns. The open availability of leaked ransomware builders has facilitated these attacks, allowing even unsophisticated threat actors to cause significant disruption.

The rise of politically motivated ransomware attacks in the Philippines serves as a stark reminder that cybersecurity is not just about protecting against financial crime, but also about safeguarding against actors seeking to disrupt and destabilize critical infrastructure and services.