RedAlert, also known as "N13V", is a new ransomware operation that encrypts VMWare ESXi servers running either Windows or Linux
What has happened?
Internally, the threat actors refer to their operation as "N13V," and the Linux encryptor was created specifically for the purpose of targeting VMware ESXi servers. The ransomware includes command-line options that allow threat actors to halt any active virtual machines before encrypting data.
When the ransomware is executed with the '-w' parameter, the Linux encryptor will use the following esxcli command to force the shutdown of all running VMware ESXi virtual machines.
When it comes to data encryption, the ransomware employs the NTRUEncrypt public-key encryption method. This technique supports a number of 'parameter sets,' each of which provides a different level of security.
The full report on this new strain by Heimdal can be found here. If you'd like to talk about how Brigantia can help protect you and your customers from ransomware, please contact me via the link below.
