- MalwareHunterTeam has shared the details of a new ransomware operation, currently known as RedAlert or N13V.
- The ransomware targets VMware ESXi servers and uses NTRUEncrypt public-key algorithm.
- The group behind the attacks goes for a double extortion scheme; which means the data is stolen before being encrypted.
MalwareHunterTeam pinpointed a new threat that targets both Windows and Linux VMware ESXi servers and shared screenshots of the group’s leak site. The new ransomware operation is called RedAlert or N13V. The name, RedAlert is based on a string found in the ransom note. However, the group calls its operation N13V internally.
A look at RedAlert ransomware gang's leak site, titled "Board of shame".
Currently only 1 victim listed… pic.twitter.com/vfuptO8L0x
— MalwareHunterTeam (@malwrhunterteam) July 5, 2022
Stealing the data before encryption
The ransomware conducts a double extortion attack. This means the data is stolen before being encrypted. Thus, if the victim refuses to make the payment, the gang threatens the company with leaking the stolen data, allowing anyone to download it. The gang’s website only leaked data from one organization, which shows that the operation is very new.
The encryptor uses command-line options to shut down virtual machines before encrypting. The command lines are:
- -w: Run command for stop all running VM`s
- -p: Path to encrypt (by default encrypts files only in the directory, does not include subdirectories)
- -f: File for encrypting
- -r: Recursive. used only with -p (search and encryption will include subdirectories)
- -t: Check encryption time (only encryption, without key-gen, memory allocates)
- -n: Search without file encryption (shows files and folders with some info)
- -x: Asymmetric cryptography performance tests.
The ransomware uses the NTRUEncrypt public-key encryption algorithm supporting Parameter Sets. It only targets files associated with VMware ESXi VM, including .log, .vmdk, .vmem, .vswp, and .vmsn. The ransomware also creates a ransom note named how_to_restore, which includes the description of the stolen data and a link for the victim to make the ransom payment. The gang only accepts Monero for payment.