New RedAlert Ransomware targets Windows, Linux, VMware ESXi servers

Red Alert
Written by admin

Red alert

A new ransomware operation called RedAlert, or N13V, encrypts Windows and Linux VMWare ESXi servers in attacks on corporate networks.

The new operation was discovered today by MalwareHunterTeam, who tweeted various images from the gang’s data leak site.

The ransomware has been named ‘RedAlert’ based on a string used in the ransom note. However, based on a Linux encryptor obtained by BleepingComputer, the threat actors internally call their operation ‘N13V’, as shown below.

RedAlert/N13V ransomware command line options
RedAlert/N13V ransomware command line options
Source: BleepingComputer

Linux Encryption is built to target VMware ESXi servers, with command-line options that allow threat actors to shut down any running virtual machines before encrypting files.

The full list of command line options can be seen below.

-w	 Run command for stop all running VM`s
-p	 Path to encrypt (by default encrypt only files in directory, not include subdirectories)
-f	 File for encrypt
-r	 Recursive. used only with -p ( search and encryption will include subdirectories )
-t	 Check encryption time(only encryption, without key-gen, memory allocates ...)
-n	 Search without file encryption.(show ffiles and folders with some info)
-x	 Asymmetric cryptography performance tests. DEBUG TESTS
-h	 Show this message

By running the ransomware with the ‘-w‘, the Linux encryptor will shut down all running VMware ESXi virtual machines using the following esxcli command:

esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F $',' '{system("esxcli vm process kill --type=force --world-id=" $1)}'

When encrypting files, the ransomware uses the NTRUEncrypt public key encryption algorithm, which supports various ‘Parameter Sets’ offering different levels of security.

An interesting feature of RedAlert/N13V is the ‘-x’ command line option which performs ‘asymmetric cryptography performance tests’ using these different sets of NTRUEncrypt parameters. However, it is not clear if there is a way to force a particular set of parameters when encrypting and/or if the ransomware will select a more efficient one.

The only other ransomware operation known to use this encryption algorithm is five hands.

NTRUEncrypt encryption speed test
NTRUEncrypt encryption speed test
Source: BleepingComputer

When encrypting files, the ransomware will only target files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as listed below.


In the sample analyzed by BleepingComputer, the ransomware would encrypt these types of files and add the .crypt658 extension to the filenames of the encrypted files.

Linux file encryption with RedAlert
Linux file encryption with RedAlert
Source: BleepingComputer

In each folder, the ransomware will also create a custom ransom note called HOW_TO_RESTOREcontaining a description of the stolen data and a link to a unique TOR ransom payment site for the victim.

Red Alert / Ransom Note N13V
Red Alert / Ransom Note N13V
Source: BleepingComputer

The Tor payment site is similar to other ransomware operating sites in that it displays the ransom demand and provides a way to negotiate with threat actors.

However, RedAlert/N13V only accepts the Monero cryptocurrency for payment, which is not commonly sold on US crypto exchanges because it is a privacy coin.

RedAlert / N13V Tor trading site
RedAlert / N13V Tor trading site
Source: BleepingComputer

While only one Linux encryptor has been found, the payment site has hidden elements showing that Windows decryptors also exist.

“Board of Shame”

Like almost all new ransomware operations targeting businesses, RedAlert carries out double-extortion attacks, which is when data is stolen and then ransomware is deployed to encrypt devices.

This tactic provides two extortion methods, allowing threat actors to not only demand a ransom to receive a decryptor, but also demand one to prevent the leak of stolen data.

When a victim fails to pay a ransom demand, the RedAlert gang posts stolen data on their data leak site that anyone can download.

RedAlert/N13V data leak site
RedAlert / N13V Data Leak Site
Source: BleepingComputer

Currently, the RedAlert data leak site only contains data from one organization, indicating that the operation is very new.

While there hasn’t been much activity with the new N13V/RedAlert ransomware operation, we’ll definitely have to keep an eye on it due to its advanced functionality and out-of-the-box support for both Linux and Windows.

About the author


Leave a Comment