New RedAlert Ransomware targets Windows, Linux, VMware ESXi servers

A new ransomware operation called RedAlert, or N13V, encrypts Windows and Linux VMWare ESXi servers in attacks on corporate networks.

The new operation was discovered today by MalwareHunterTeam, who tweeted various images from the gang’s data leak site.

The ransomware has been named ‘RedAlert’ based on a string used in the ransom note. However, based on a Linux encryptor obtained by BleepingComputer, the threat actors internally call their operation ‘N13V’, as shown below.

Linux Encryption is built to target VMware ESXi servers, with command-line options that allow threat actors to shut down any running virtual machines before encrypting files.

The full list of command line options can be seen below.

-w	 Run command for stop all running VM`s
-p	 Path to encrypt (by default encrypt only files in directory, not include subdirectories)
-f	 File for encrypt
-r	 Recursive. used only with -p ( search and encryption will include subdirectories )
-t	 Check encryption time(only encryption, without key-gen, memory allocates ...)
-n	 Search without file encryption.(show ffiles and folders with some info)
-x	 Asymmetric cryptography performance tests. DEBUG TESTS
-h	 Show this message

By running the ransomware with the ‘-w‘, the Linux encryptor will shut down all running VMware ESXi virtual machines using the following esxcli command:

esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F $',' '{system("esxcli vm process kill --type=force --world-id=" $1)}'

When encrypting files, the ransomware uses the NTRUEncrypt public key encryption algorithm, which supports various ‘Parameter Sets’ offering different levels of security.

An interesting feature of RedAlert/N13V is the ‘-x’ command line option which performs ‘asymmetric cryptography performance tests’ using these different sets of NTRUEncrypt parameters. However, it is not clear if there is a way to force a particular set of parameters when encrypting and/or if the ransomware will select a more efficient one.

The only other ransomware operation known to use this encryption algorithm is five hands.

When encrypting files, the ransomware will only target files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as listed below.

.log
.vmdk
.vmem
.vswp
.vmsn

In the sample analyzed by BleepingComputer, the ransomware would encrypt these types of files and add the .crypt658 extension to the filenames of the encrypted files.

In each folder, the ransomware will also create a custom ransom note called HOW_TO_RESTOREcontaining a description of the stolen data and a link to a unique TOR ransom payment site for the victim.

The Tor payment site is similar to other ransomware operating sites in that it displays the ransom demand and provides a way to negotiate with threat actors.

However, RedAlert/N13V only accepts the Monero cryptocurrency for payment, which is not commonly sold on US crypto exchanges because it is a privacy coin.

While only one Linux encryptor has been found, the payment site has hidden elements showing that Windows decryptors also exist.

“Board of Shame”

Like almost all new ransomware operations targeting businesses, RedAlert carries out double-extortion attacks, which is when data is stolen and then ransomware is deployed to encrypt devices.

This tactic provides two extortion methods, allowing threat actors to not only demand a ransom to receive a decryptor, but also demand one to prevent the leak of stolen data.

When a victim fails to pay a ransom demand, the RedAlert gang posts stolen data on their data leak site that anyone can download.

Currently, the RedAlert data leak site only contains data from one organization, indicating that the operation is very new.

While there hasn’t been much activity with the new N13V/RedAlert ransomware operation, we’ll definitely have to keep an eye on it due to its advanced functionality and out-of-the-box support for both Linux and Windows.