"New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers"

In attacks against corporate networks, a new ransomware operation encrypts both Windows and Linux VMware ESXi servers. Researchers at MalwareHunterTeam, who tweeted various images of the gang's data leak site, discovered the new operation. Based on a string in the ransom note, the ransomware has been dubbed RedAlert. However, according to a Linux encryptor obtained by Bleeping Computer, the threat actors internally refer to their operation as N13V. The Linux encryptor was designed to target VMware ESXi servers, and it includes command-line options that enable threat actors to shut down running virtual machines before encrypting files. When encrypting files, the ransomware employs the NTRUEncrypt public-key encryption algorithm, which supports a variety of 'Parameter Sets' that provide varying levels of security. The '-x' command-line option in RedAlert/N13V performs asymmetric cryptography performance testing with the various NTRUEncrypt parameter sets. It is unknown whether there is a way to force a specific parameter set when encrypting or whether the ransomware will choose a more efficient one. FiveHands is the only other ransomware operation known to use this encryption algorithm. RedAlert, like nearly all new enterprise-targeting ransomware operations, uses double-extortion attacks, in which data is stolen and then ransomware is used to encrypt devices. This tactic provides two extortion methods, allowing threat actors to demand a ransom not only to receive a decryptor, but also to prevent the leaking of stolen data. If a victim refuses to pay a ransom demand, the RedAlert gang posts stolen data on their data leak website for anyone to download. This article continues to discuss findings surrounding the RedAlert/N13V ransomware.

Bleeping Computer reports "New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers"