On September 1, 2022, Chile’s national Computer Security and Incident Response Team (CSIRT) announced that the Chilean government’s Microsoft and VMware ESXi servers were targeted with ransomware by an unknown threat actor. The announcement did not attribute this activity to a specific ransomware group. The techniques used in this attack also did not provide any indication of the group behind this attack.
The ransomware used the NTRUEncrypt encryption algorithm and targeted .log, .exe, .dll, .vswp, .vmdk, .vmsn, and .vmem files, among others. These files were all encrypted and renamed with “.crypt’ extensions, a technique seen used by RedAlert ransomware in the past, but nothing was found to confirm this for certain. While some indicators point to RedAlert, and others point to Conti, a Chilean threat analyst who analyzed this sample reported that the strain appears to be entirely knew and cannot be attributed to a specific group at this time.