RedAlert

RedAlert ransomware was public on July 5, 2022, and can spread via RDP configuration hacking, malicious emails, or botnets encrypting Windows and Linux VMWare ESXi servers. The ransomware shuts down any running virtual machines before locking files using command options in RedAlert’s Linux encryptor. The ransomware targets the files corresponding to the virtual machines, such as memory files (.vmem), log files (.log), and virtual disks (.vmdk). The ransomware creates a custom ransom note named “HOW_TO_RESTORE”, including a link to a unique TOR ransom payment site for the victim. Unlike other ransomware, RedAlert exclusively demands payment in Monero cryptocurrency (XMR). The ransomware is called RedAlert because of a string used in the ransom note, however, in the Linux encryptor version, the threat actors internally are calling their operation N13V.