A New RedAlert Ransomware or N13V came into the cyberspace that encrypts both Windows and Linux VMWare ESXi servers that attack corporate networks.

The ransomware has been called ‘RedAlert’ based on a string used in the ransom note. However, the threat actors call their operation ‘N13V’ internally.

The Linux encryptor is created to target VMware ESXi servers, with command-line options that allow the attacker to shut down any running virtual machines before encrypting files.

RedAlert ransomware While encrypting files uses the NTRUEncrypt public-key encryption algorithm, which supports various ‘Parameter Sets’ that offer different levels of security.

There is also one ransomware in the market that also uses the same encryption algorithm which is FiveHands.

While encrypting files, RedAlert will only target files that are associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as listed below.

RedAlert ransomware would encrypt these file types and append the .crypt658 extension to the file names of encrypted files.

In each folder, the ransomware will also create a custom file named HOW_TO_RESTORE, which contains a description of the stolen data and a link to a unique TOR ransom payment site for the victim.

The TOR ransom payment site is the same structure as other ransomware payment sites and it displays the ransom demand and provides a way to negotiate with the attacker.

RedAlert/N13V only accepts the Monero cryptocurrency for the ransom payment, which is not common in USA crypto exchanges because it is a privacy coin.

When a victim of the RedAlert (“N13V”) ransomware gang paid the ransom, they can download the Windows / Linux decrypter tools from this nice little popup…