On September 1, 2022, Chile’s national Computer Security and Incident Response Team (CSIRT) announced that the Chilean government’s Microsoft and VMware ESXi servers were targeted with ransomware by an unknown threat actor. The announcement did not attribute this activity to a specific ransomware group. The techniques used in this attack also did not provide any indication of the group behind this attack.
The ransomware used the NTRUEncrypt encryption algorithm and targeted .log, .exe, .dll, .vswp, .vmdk, .vmsn, and .vmem files, among others. These files were all encrypted and renamed with “.crypt’ extensions, a technique seen used by RedAlert ransomware in the past, but nothing was found to confirm this for certain. While some indicators point to RedAlert, and others point to Conti, a Chilean threat analyst who analyzed this sample reported that the strain appears to be entirely knew and cannot be attributed to a specific group at this time.
This attack is an example of the ever-changing threat landscape in cybersecurity. While defense teams come up with new detections for malicious activity daily, attackers are constantly updating their own malware to evade these detections, or, as it appears in this case, new attackers may develop their own techniques. This attack also highlights one of the main difficulties in cybersecurity – attribution. While defenders can attempt to attribute an attack to a specific group based on the Tactics, Techniques, and Procedures (TTPs) used, it is difficult to attribute attacks to a specific entity for certain.