September 27, 2023

A new ransomware operation seen encrypting both Windows and Linux VMWare ESXi servers dubbed as RedAlert based on a string used in the ransom note.

Alternatively, it has been noted from bleeping computer has obtained a linux encryptor from which the threat actors call their operation N13V.


Array of command-line options (as given below) allows the threat actors to shut down any running virtual machines before encrypting files.

  1. -w           Run command for stop all running VM`s
  2. -p            Path to encrypt (by default encrypt only files in directory, not include subdirectories)
  3. -f             File for encrypt
  4. -r             Recursive. used only with -p ( search and encryption will include subdirectories )
  5. -t             Check encryption time(only encryption, without key-gen, memory allocates …)
  6. -n            Search without file encryption.(show ffiles and folders with some info)
  7. -x            Asymmetric cryptography performance tests. DEBUG TESTS
  8. -h            Show this message

The only other ransomware operation known to use this encryption algorithm is FiveHands. When encrypting files, the ransomware will only target files such as .log, .vmdk, .vmem, .vsep, .vmsn that are associated with VMware ESXi virtual machines.

A custom ransom note named HOW_TO_RESTORE displayed, which contains a description of the stolen data and a link to a unique TOR ransom payment site for the victim. It only accepts the Monero cryptocurrency for payment, a privacy coin.


RedAlert conducts double-extortion attacks, which is when data is stolen, and then ransomware is deployed to encrypt devices and demand for ransom and if not paid it will publish the data in leak site.

This report was published by Malware hunter team.

Leave a Reply

%d bloggers like this: