RedAlert ransomware can target both Linux and Windows OS

July 11, 2022
RedAlert Ransomware Linux Windows OS VMWare ESXi Threat Group Stolen Data

A newly discovered ransomware campaign, which the researchers called RedAlert, can encrypt both Linux and Windows VMWare ESXi servers to attack corporate networks globally. The latest ransomware was posted on Twitter and included several images of the data leak site.

They dub the ransomware campaign RedAlert, based on a string utilised in the ransom note left for the targets to see. However, the threat actors called their operation N13V for Linux-based attacks.

Moreover, the Linux encryptor is developed to target the VMware ESXi servers with command-line options, enabling its operators to take down running virtual devices before encrypting files.

During file encryption, the ransomware uses the NTRUEncrypt public-key encryption algorithm. The encryption supports multiple parameter sets that offer several levels of security.

An alarming function of the new ransomware includes a command-line option that runs asymmetric cryptography performance tests using different NTRUEncrypt parameter sets. However, it is still a mystery if there is a method to force a specific parameter set during encryption. Moreover, it is also unclear if the ransomware will pick a more efficient set.

The only other ransomware attack known to utilise the newly discovered algorithm is the FiveHands threat group.

 

The RedAlert ransomware only targets files connected to the VMware ESXi virtual devices and other specific sets.

 

Another file encryption process shows that the RedAlert ransomware will only gather files affiliated with the VMware ESXi virtual machines, such as log files, swap files, memory files, and virtual disks.

In a sample examined by a separate researcher, the ransomware will encrypt the files mentioned earlier and append the [.]crypt extension to the file names of encrypted files.

In every folder, the ransomware will also develop a modified ransom note coded as “HOW_TO_RESTORE”, which includes a description of the stolen data and a link to an original TOR ransom payment site that the victim should visit.

However, the TOR payment website is identical to other ransomware operation sites as it portrays the ransom demand and gives a method to negotiate with the ransomware operators.

The confusing part of this attack is that the RedAlert group only accepts the Monero cryptocurrency for payment, which is not usually traded in the United States.

About the author