Search This Blog

Showing posts with label RedAlert. Show all posts

Ransomware Attacks Target Government Agencies in Latin America

Federal government agencies in Latin America were targeted in several ransomware attacks in the past months, the latest targets of the attack being Chile and the Dominican Republic. 

Following the escalation of cyber attacks, the Recorded future studied the attacks on Latin governments from January 2022 until May 2022. In this study, they examined vulnerabilities, attack vectors, and indicators of compromise (IOCs). 

It was uncovered that the most advanced ransomware groups are targeting Latin federal agencies; the team of researchers highlighted the poor security measures against cybersecurity threats in the region. 

Chile’s Ministry of Interior reported last week that the department has been hit by ransomware that targeted Windows and VMware ESXi servers. As a result of the attack, online services and their functions were disrupted. The ransomware encrypted files on compromised systems and renamed them with the extension .crypt. 

Chilean government released public press on the attack and made public some indicators of compromise (IoC) hence the team of cyber analysis believes that the recent attack involved the relatively new RedAlert ransomware, which is also known as N13V. 

RedAlert ransomware uses double extortion, encrypting the victim’s files and threatening to publicize the stolen data from its systems unless a ransom is paid. RedAlert’s Tor-based leak website did not report or write anything on the Chilean government agency at the time of writing. 

Several government agencies in the Dominican Republic were also attacked by ransomware recently. The country’s national cybersecurity center notified on August 24 that the Ministry of Agriculture’s Dominican Agrarian Institute (IAD) was attacked. However, the team highlighted that the government does not plan to pay a ransom. 

“We identified several government entities in Latin America (LATAM) that have been affected by ransomware attacks, likely involving Russian or Russian-speaking threat actors, beginning on or around April 2022. Countries affected include Costa Rica, Peru, Mexico, Ecuador, Brazil, and Argentina, among others, all of which have publicly condemned Russia for invading Ukraine at the United Nations General Assembly (UNGA). Some of these countries also voted to suspend Russia from the United Nations Human Rights Council (UNHRC) in early April 2022”, the Recorded Future said.

This New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

 

RedAlert (aka N13V), a new ransomware threat that encrypts both Windows and Linux VMWare ESXi systems, has been discovered. Concerning the RedAlert ransomware, MalwareHunterTeam uncovered the new ransomware and published various screenshots of its data leak site. Because of a string in the ransom text, the ransomware is known as RedAlert. 

However, the attackers are internally referring to their operation as N13V in the Linux encrypter version. The Linux encryptor is intended for use on VMware ESXi servers, including command-line options that enable attackers to shut down any operating virtual machines before locking data. 

RedAlert, like other enterprise-targeted ransomware operations, conducts double-extortion attacks in which data is taken and then ransomware is used to encrypt machines. The ransomware exclusively targets VMware ESXi virtual machine data, such as memory files, log files, virtual discs, and swap files. 

The ransomware encrypts certain file formats and appends the extension.crypt658 to the file names. The ransomware produces a specific ransom note entitled HOW TO RESTORE in each folder, which includes a description of the stolen data and a link to a TOR ransom payment site. One of RedAlert/features N13V's is the '-x' command-line option, which performs asymmetric cryptography performance testing with various NTRUEncrypt parameter sets. 

During encryption, the ransomware employs the NTRUEncrypt public-key encryption method, which supports several 'Parameter Sets' with varying degrees of protection. Aside from RedAlert, the only other ransomware known to use this form of encryption is FiveHands.  

RedAlert currently lists only one organisation as a victim, however, this may change in the near future. Furthermore, the malware's compatibility for both Windows and Linux shows that it intends to target a broader attack surface. As a result, enterprises should keep an eye on this threat. Always use encryption and access controls to safeguard critical information.