New Threat Research: The Client/Server Relationship — A Match Made In Heaven 

Read Threat Research


New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks. The new operation was discovered today by MalwareHunterTeam, who tweeted various images of the gang’s data leak site. The ransomware has been called ‘RedAlert’ based on a string used in the ransom note. However, from a Linux encryptor obtained by reporters, the threat actors call their operation ‘N13V’ internally.

The Linux encryptor is created to target VMware ESXi servers, with command-line options that allow the threat actors to shut down any running virtual machines before encrypting files. When encrypting files, the ransomware utilizes the NTRUEncrypt public-key encryption algorithm, which support various ‘Parameter Sets’ that offer different levels of security. An interesting feature of RedAlert/N13V is the ‘-x’ command-line option that performs ‘asymmetric cryptography performance testing’ using these different NTRUEncrypt parameter sets. However, it is unclear if there is a way to force a particular parameter set when encrypting and/or if the ransomware will select a more efficient one. The only other ransomware operation known to use this encryption algorithm is FiveHands.

When encrypting files, the ransomware will only target files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as listed below. In the sample analyzed by researchers, the ransomware would encrypt these file types and append the .crypt658 extension to the file names of encrypted files. In each folder, the ransomware will also create a custom ransom note named HOW_TO_RESTORE, which contains a description of the stolen data and a link to a unique TOR ransom payment site for the victim.

The Tor payment site is like other ransomware operation sites as it displays the ransom demand and provides a way to negotiate with the threat actors. However, RedAlert/N13V only accepts the Monero cryptocurrency for payment, which is not commonly sold in USA crypto exchanges because it is a privacy coin. While only a Linux encryptor has been found, the payment site has hidden elements showing that Windows decryptors also exist.

Like almost all new enterprise-targeting ransomware operations, RedAlert conducts double-extortion attacks, in which data is stolen, and then ransomware is deployed to encrypt devices. This tactic provides two extortion methods, allowing the threat actors to not only demand ransom to receive a decryptor but also demand one to prevent the leaking of stolen data. When a victim does not pay a ransom demand, the RedAlert gang publishes stolen data on their data leak site that anyone can download.

Analyst Notes

One of the best defenses from ransomware isto have a strong backup policy. The standard 3-2-1 backup method applies. Three copies of the data, on two separate storage medias with one of them being offsite. It is also important for organizations to regularly audit both their backup capabilities and their capability to restore from backup, so that backups can be smoothly accomplished in the event of a disruptive attack or disaster.
Currently, the RedAlert data leak site only contains the data for one organization, indicating that the operation is very new. While there has not been a lot of activity with the new N13V/RedAlert ransomware operation, it poses a significant threat due to its advanced functionality and immediate support for both Linux and Windows.