Threat Database Ransomware Red Alert Ransomware

Red Alert Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 9
First Seen: January 4, 2017
Last Seen: June 12, 2022
OS(es) Affected: Windows

The Red Alert Ransomware is a standard encryption Trojan that is named after the 'RED ALERT' warning it displays once it completes the encoding process. The Red Alert Ransomware functions similarly to the JuicyLemon Ransomware and changes the user's desktop background as a way to notify the user of encrypted data on the PC. The standard medium used to install the Red Alert Ransomware is a corrupted document that you are lead to believe is a payment confirmation and an order receipt from an online store like Amazon. Spam emails that feature logos from online stores and cyber security vendors are employed by the distributors of the Red Alert Ransomware to welcome users to double-click a macro-enabled document.

The Red Alert Ransomware is a Member of the HiddenTear Family of Ransomware

The Red Alert Ransomware is based on the HiddenTear project published by Utku Sen as 'educational ransomware.' It did not took long for 'knowledge-hungry' con artists notice the potential of HiddenTear and deploy dozens of variants. The Red Alert Ransomware is ranked among threats like the EduCrypt Ransomware and the Domino Ransomware. The Red Alert Ransomware is programmed to scan local drives and removable drives for the following file types:


The next step in the encryption procedure involves building a list of files suitable for encryption. PC security researchers report that the Red Alert Ransomware is using a customized version of an open-source AES-256 cipher. Files are enciphered entirely and added a '.locked' marker. For example, 'Longmen_Caves-China.png' is converted to 'Longmen_Caves-China.png.locked' and a thumbnail in Windows Explorer will be unavailable. Data is encrypted with a private key, and then the key is encrypted with a public key, which makes decryption impossible if you do not have the correct decryption software and key. The authors of the Red Alert Ransomware claim to provide a decryptor if you follow a set of instructions saved in 'message.txt' located on the desktop.

A 'Red Alert' Warning Signifies a Successful Operation of the Red Alert Ransomware

As stated above, the Red Alert Ransomware changes the user's desktop background to an image colored in black and red, which displays the following text message:

All Your Files Has been Blocked !!!
To you unlock the files access "MESSAGE" file and follow the instructions or we will delete ALL your personal archives.

Computer users that did not backup their data may panic and consider paying the ransom. However, experts remind that the operators of the Red Alert Ransomware are not obliged to deliver a decryptor. You might want to keep your money in the wallet and check if the Red Alert Ransomware deleted the Shadow Volume Copies made by Windows. PC users that take into consideration threats like the Red Alert Ransomware and the OpenToYou Ransomware may have backup images available. Experts remind that threats such as the OpenToYou Ransomware are inefficient against users who backup their data regularly and avoid spam emails. The Red Alert Ransomware should be removed with the help of a reliable anti-malware scanner, which is designed to eliminate encryption Trojans.


Most Viewed