An information stealer named RedEnergy targets multiple industry sectors through a fake update campaign. This malicious software can extract information from different web browsers, allowing it to steal sensitive data. Furthermore, it incorporates various modules to facilitate ransomware activities.
RedEnergy is categorized as Stealer-as-a-Ransomware due to its unique ability to function as both a stealer and ransomware. If you suspect that your computer is already infected, we recommend running a scan with Gridinsoft Anti-Malware to automatically eliminate infiltrated malware.
Learn more about RedEnergy Stealer
| Name | RedEnergy Stealer |
| Detection | Trojan:Win32/Casdet!rfn |
| Threat Type | Trojan Stealer, Ransomware |
| Encrypted Files Extension | .FACKOFF! |
| Ransom Demanding Message | read_it.txt |
| Contacts | [email protected] |
| Ransom Amount | 0.005 BTC |
| Damage | Extract sensitive data from web browsers, encrypt files, demand ransom for their release, and manipulate the appearance of file system folders. It infiltrates systems through deceptive techniques, such as masquerading as legitimate browser updates and employing a deceptive redirection technique. Its impact can result in the theft of personal information, financial data, login credentials, and other sensitive data, causing potential harm to individuals and organizations |
| Fix Tool | See If Your System Has Been Affected by RedEnergy Virus |
When triggered, the malicious RedEnergy executable disguises itself as a genuine browser update, effectively hiding its true nature. It cleverly presents itself as a legitimate update from well-known browsers like Google Chrome, Microsoft Edge, Firefox, and Opera, with the aim of deceiving unsuspecting users.
The malware then deposits four files (two temporary files and two executables) onto the targeted system. One of these files serves as the malicious payload. At the same time, the malware initiates an additional background process representing the malicious payload. As this payload is executed, it displays an insulting message to the victim.
In addition, RedEnergy incorporates a persistence mechanism that allows it to remain on an infected system even after restarting or shutting down. This mechanism ensures that the malware remains active and can continue its malicious activities without interruption.
As part of its operation, RedEnergy integrates ransomware modules into its payload. It encrypts the victim’s data and appends the “.FACKOFF!” extension to the names of all encrypted files. The victim is then presented with a ransom message (“read_it.txt“) demanding payment to regain access to the files. The malware also changes the desktop wallpaper.
Text in the ransom note
YOUR FILES ENCRYPTED VIRUS !!! ANY ATTEMPT THEIR DECRYPT BY, IS ZERO WE HAVE A DECKER, YOU CAN BUY IT FOR ---100$--- At Bitcoin WRITE ON MAIL([email protected]), WE WILL ISSUE YOU DECODER (KEY DECRYPTION) BUY OR EXCHANGE Bitcoin CAN HERE OR WHERE THE YET: Coinmama - hxxps://www.coinmama.com, Bitpanda - hxxps://www.bitpanda.com REQUISITES Payment informationAmount: 0.005 BTC Bitcoin Address: bc1qkvykfukshqywqe40pn9kqv5xc8xr5dwl46k99k MAIL FOR COMMUNICATION : [email protected]
The ransomware modules also delete data from the shadow drive, effectively eliminating any potential backups.
Furthermore, the malicious executable modifies the desktop.ini file, which holds important configuration settings for file system folders. Through this modification, RedEnergy gains the ability to manipulate the appearance of file system folders, potentially enhancing its ability to hide its presence and actions on the compromised system.
Finally, RedEnergy is capable of stealing data from various web browsers, including personal information, login credentials, financial data, online activities, session-related information, and other data.
What next?
In conclusion, RedEnergy is a sophisticated malware that operates as a stealer and ransomware. It uses deceptive techniques, such as masquerading as legitimate browser updates and utilizing persistence mechanisms to maintain its presence on infected systems.
With its ability to steal sensitive information, encrypt files, and demand ransom for their release, RedEnergy poses a significant risk to individuals and organizations. This underscores the importance of robust cybersecurity measures and vigilant online behavior.
How did RedEnergy Stealer infiltrate my computer?
RedEnergy employs a deceptive redirection technique to infect computers, targeting industries with notable LinkedIn pages. Users who attempt to access a targeted company’s website through their LinkedIn profile are unknowingly redirected to a malicious site.
Once there, they are prompted to install what appears to be a legitimate browser update. However, they inadvertently download the RedEnergy executable instead of a genuine update.
To further deceive victims, the campaign uses a disguised download domain that poses as a ChatGPT site, enticing users to download a fake offline version of ChatGPT. This fake version also contains a malicious executable used to distribute RedEnergy.
Multiple related campaigns have been discovered, all employing the FAKEUPDATES tactic and reusing infrastructure and tactics to maximize their impact and profits. The cybercriminals responsible for these campaigns target organizations across various industries, leveraging their established reputations and online presence to effectively deceive unsuspecting users.
How to avoid installing malware?
To protect your computer, it is crucial to regularly update your operating system and software. When dealing with email attachments or encountering suspicious links, especially from unfamiliar or untrusted sources, exercise caution and remain vigilant.
Additionally, it is recommended to use reputable antivirus or anti-malware software to provide an additional layer of protection. Conduct regular system scans to identify and address potential threats. Moreover, avoid downloading files from untrusted websites and be cautious of pop-up advertisements or deceptive download buttons that may lead to malicious content.
How to remove the RedEnergy from my PC?
RedEnergy malware is incredibly difficult to eliminate by hand. It stores its data in numerous locations throughout the disk, and can recover itself from one of the elements. In addition, various modifications in the registry, networking setups and Group Policies are quite hard to find and change to the original. It is better to use a specific app – exactly, an anti-malware program. GridinSoft Anti-Malware will fit the best for malware elimination reasons.
Why GridinSoft Anti-Malware? It is really lightweight and has its databases updated nearly every hour. Additionally, it does not have such problems and vulnerabilities as Microsoft Defender does. The combination of these details makes GridinSoft Anti-Malware suitable for eliminating malware of any form.
Remove the RedEnergy with GridinSoft Anti-Malware
- Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.
- Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.
- When the scan is over, you may choose the action for each detected virus. For all files of RedEnergy the default option is “Delete”. Press “Apply” to finish the malware removal.
Frequently Asked Questions (FAQ)
RedEnergy is a sophisticated malware that functions as both an information stealer and ransomware, targeting multiple industry sectors.
RedEnergy employs deceptive techniques, including a redirection technique and disguised download domains, to trick users into downloading its malicious executable. It often disguises itself as a legitimate browser update or a fake version of popular software.
Once infected, RedEnergy can extract sensitive information from web browsers, encrypt files, demand ransom for their release, manipulate file system folders, and delete potential backups.
RedEnergy masquerades as genuine browser updates, using well-known browser names, and employs deceptive tactics such as displaying insulting messages to victims. It also utilizes disguised download domains to trick users into downloading the malware.
To protect your computer, it is important to keep your operating system and software up to date. Exercise caution when opening email attachments or clicking on suspicious links. Use reputable antivirus or anti-malware software, avoid downloading files from untrusted websites, and be wary of pop-up advertisements or deceptive download buttons.
If you suspect your computer is infected, it is recommended to run a scan with reliable anti-malware software such as Gridinsoft Anti-Malware to automatically eliminate the malware.
RedEnergy poses a significant risk as it can steal personal information, login credentials, financial data, and other sensitive data. It can also encrypt files, demand ransom, and manipulate system folders, potentially causing harm to individuals and organizations.
Implementing strong cybersecurity measures such as regularly updating your system and software, using reputable antivirus or anti-malware software, and practicing safe browsing habits can help defend against RedEnergy. Additionally, backing up your important data regularly can provide an added layer of protection.
How to Remove RedEnergy Malware
Name: RedEnergy
Description: RedEnergy poses a significant risk as it operates as both an information stealer and ransomware. It can extract sensitive data from web browsers, encrypt files, demand ransom for their release, and manipulate the appearance of file system folders. It infiltrates systems through deceptive techniques, such as masquerading as legitimate browser updates and employing a deceptive redirection technique. Its impact can result in the theft of personal information, financial data, login credentials, and other sensitive data, causing potential harm to individuals and organizations. Vigilant cybersecurity measures are crucial to mitigate the damage caused by RedEnergy.
Operating System: Windows
Application Category: Malware
