Security researcher MalwareHunterTeam discovered a new ransomware operation called RedAlert (N13V). Cybercriminals behind the operation attack corporate networks and encrypt both Windows and Linux VMWare ESXi servers.
At this point, only one victim is listed on the operation’s data leak website titled "Board of shame". According to the gang’s post, they “have easily hacked corporate network” and syphoned more then 300GB of data, including employee information, social security numbers, driving licenses, financial documents, payrolls, banking statements, etc.
The threat actors claim that they’ve managed to download data from networks of victim’s customers. The links to these files will be published on "Board of shame" sometimes in the future.
As per the hackers, a poor security practices and a “low competence of system administrator” of the breached enterprise are to blame.
Unlike the most ransomware gangs which demand ransom payment in Bitcoin, RedAlert only accepts Monero privacy coins.
The Linux encryptor targets VMware ESXi servers. The malware has a command-line options to shut down any running virtual machines before encrypting files. Interestingly, RedAlert only encrypts files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files.