VMware ESXi servers under attack from new RedAlert ransomware

VMware ESXi servers running on Windows and Linux are being targeted by the novel RedAlert ransomware operation, also known as N13V, in an effort to infiltrate corporate networks and conduct double-extortion attacks, according to BleepingComputer. RedAlert's Linux encryptor was identified to feature command-line options for shutting down operational virtual machines prior to file encryption, while the ransomware was found to leverage the public-key encryption algorithm NTRUEncrypt, also used by FiveHands. BleepingComputer discovered that RedAlert would then target .log, .vmdk, .vmem, .vmsn, and .vswp files, which are then appended with the .crypt658 extension upon encryption. Custom ransom notes with details on the stolen data and a link to the attackers' TOR ransom payment site are then created in every folder. While RedAlert has so far only listed one organization on its data leak site, the operation's advanced ransomware functionality and flexibility may make it a significant cybersecurity threat in the future.