In attacks on corporate networks, a new ransomware operation known as RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi systems.
MalwareHunterTeam, which tweeted numerous photographs of the gang’s data leak site, learned about the latest operation today.
Because of a string included in the ransom note, the ransomware has been given the name “RedAlert.” However, as can be seen below, the threat actors internally refer to their operation as “N13V” according to a Linux encryptor that BleepingComputer was able to obtain.
With command-line parameters that let threat actors stop any active virtual machines before encrypting files, the Linux encryptor was designed to attack VMware ESXi systems.
Below is a list of all available command-line arguments.
– w Run a command to shut down all operating virtual machines.
– P The way to encrypt (by default encrypt only files in directory, not include subdirectories)
– F Document to encrypt
– r Recursive. Only used with -p (search and encryption will include subdirectories)
– t Verify the encryption time (only encryption, without key-gen, memory allocates …)
– n without file encryption, search (display files and directories with information)
– x Performance evaluations for asymmetric cryptography. BUGGING TESTS
– h Bring up this message
The Linux encryptor will terminate every active VMware ESXi virtual machine when the ransomware is launched with the ‘-w’ argument:
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
The ransomware uses the NTRUEncrypt public-key encryption method to encrypt files. This algorithm supports a number of “Parameter Sets” that provide varying degrees of security.
The ‘-x’ command-line option of RedAlert/N13V, which does ‘asymmetric cryptography performance testing’ using these various NTRUEncrypt parameter configurations, is an intriguing feature. Uncertainty exists on whether it is possible to force a specific parameter set to be used for encryption and/or whether the ransomware will choose a more effective one.
FiveHands is the only other ransomware organization that is known to employ this encryption method.
The ransomware will exclusively encrypt files related to VMware ESXi virtual machines, including the following log files, swap files, virtual disks, and memory files.
.log
.vmdk
.vmem
.vswp
.vmsn
The ransomware would encrypt several file types in the BleepingComputer sample and attach the.crypt658 extension to the file names of encrypted files.
A customized ransom note with the name HOW TO RESTORE that describes the stolen data and provides a link to the victim’s particular TOR ransom payment site is also created by the ransomware in each folder.
The Tor payment site is comparable to previous ransomware operating sites in that it offers a mechanism to negotiate with the threat actors and displays the ransom demand.
However, RedAlert/N13V only accepts Monero as payment, a cryptocurrency that isn’t frequently available in US cryptocurrency exchanges because it’s a privacy coin.
The payment site contains secret components that demonstrate the existence of Windows decryptors even though only a Linux encryptor has been discovered.
The “Board of Shame”
RedAlert engages in double-extortion attacks, which are when data is stolen and then ransomware is used to encrypt devices, like nearly all new enterprise-targeting ransomware operations.
This strategy gives threat actors two extortion options, enabling them to demand ransom not only for a decryptor but also to stop the leakage of stolen data.
The RedAlert gang posts stolen data on its data leak website for anybody to download when a victim refuses to pay a demanded ransom.
The fact that only one organization’s data is currently available on the RedAlert data breach site shows how recent the operation is.
The new N13V/RedAlert ransomware operation has not seen much activity, but with its extensive features and rapid support for both Linux and Windows, it is one that we will undoubtedly need to keep a watch on.
