RedAlert (N13V) Ransomware
The RedAlert (N13V) Ransomware is a multi-platform malware that targets the data of its victims. The Windows version of the malware is tracked as RedALert while N13V is specifically designed to be active on Linux VMware ESXi servers. Like most ransomware attacks, the threat locks the data found on the breached systems by using an uncrackable cryptographic algorithm. Each processed file will have a new extension, consisting of '.crypt' followed by a certain number appended to its original name. When all targeted file types have been encrypted, the RedAlert (N13V) Ransomware will create a new text file on the infected device.
Named 'HOW_TO_RESTORE.txt,' the purpose of the file is to deliver a ransom note with instructions from the attackers. RedAlert (N13V) Ransomware's message clearly indicates that its operators are mostly targeting corporate entities. It also reveals that the attackers are running a double-extortion scheme. Apparently, besides locking the victim's files, the threat actors also collect various confidential data, such as contracts, financial documents, bank statements, employee and customer data, etc. All collected information is exfiltrated to a remote server, with the hackers threatening to release it to the public if they are not contacted by the victims within 72 hours.
The threat directs victims into visiting the hacker's dedicated website hosted on the Tor network. The site will supposedly allow victims to send a couple of encrypted files to be unlocked for free, pay the demanded ransom, and receive a specialized decryption tool. Of course, communication with cybercriminals is inherently risky and could expose the victim to additional privacy or security issues.
The entire set of instructions delivered via the text file is:
'Hello,
Your network was penterated
We have encrypted your files and stole large amount of sensitive data, including:NDA contracts and data
Financial documents, payrolls, bank statements
Employee data, personal documents, SSN, DL, CC
Customer data, contracts, purchase agreements, etc.
Credentials to local and remote devices
And more…
Encryption is reverssible process, your data can be easily recovered with our help
We offer you to purchase special decryption software, payment includes decryptor, key for it and erasure of stolen data
If you understand all seriousness of this sutation and ready to cooperate with us, follow the next steps:
1) Download TOR Browser from hxxps://torproject.org
2) Install and launch TOR Browser
3) Visit our webpage: hxxx://gwvueqclwkz3h7u75cks2wmrwymg3qemfyoyqs7vexkx7lhlteagmsyd.onion
On our webpage you will be able to purchase decryptor, chat with our support and decrypt few files for free
If you won't contact us in 72h we will start publishing stolen data in our blog part by part, DDoS site of your company and call employees of your company
We have analyzed financial documentation of your company so we will offer you the appropriate price
To avoid data loss and rising of the additional costs:
1) Don't modify contents of the encrypted files
2) Don't inform local authorities about this incident before the end of our deal
3) Don't hire recovery companies to negotiate with us
We guarantee that our dialogue will remain private and third-parties will never know about our dealREDALERT UNIQUE IDENTIFIER START'
