Patrick Domingues

The new ransomware is called RedAlert because of a string found in the ransom note. However, in their internal notes the developers of the Linux version are calling it N13V. It targets VMware servers and shuts down running virtual machines before encrypting files. The malicious program is similar to other enterprise ransomware, but it has some unique features.

This ransomware targets files on your virtual machines, including memory files, log files, virtual disks, and swap files. It encrypts these types of files and appends the .crypt658 extension to the file names. In each folder, it creates a customized ransom note named HOW_TO_RESTORE. This note includes a description of the stolen data and a link to a TOR ransom payment.

One of the new features of this ransomware is its ability to perform asymmetric encryption testing. NTRUEncrypt is a public-key algorithm that supports different ‘Parameter Sets’ that give you varying levels of security. This helps you to choose the right option for your needs. The only other ransomware with this feature is RedAlert.

Just recently, RedAlert identified one organization as a victim. This could change in the future. Moreover, it also supports both Windows and Linux, which suggests that the malware is targeting a wider attack surface. Thus, organizations are suggested to keep their eyes on this threat. Always protect sensitive information with encryption and proper access controls.

 

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.