Cyber Security

A new Ransomware in 2022: Red Alert

Background of Ransomware

In modern times, technology is an integral part of our lives, and so are the problems that come along with the integration of such technologies in our day-to-day activities. From pop-up ads to new-age ransomware, as technology evolves, so do such lacunae that accompany it. Case in point new ransomware, the N13V. In light of the Linux encryptor found by BleepingComputer, it has been found that the nomenclature is given by the creators of the said ransomware. Although the ransomware is popularly called ‘RedAlert’, the same originates from a string used in the ransom note of the said virus. 

RedAlert/N13V encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks. It was discovered on the 5th of July 2022 by MalwareHunterTeam, who also tweeted about the same, adding pictures of the ransomware creators’ data leak site.

N13V Ransomware Command-line options 

As of now, the people involved in this data breach segment has leaked data for just one organization which is indicative of the operation being very new.

Similar to other major enterprise-targeting ransomware operations, RedAlert conducts double-extortion attacks, wherein when the data is stolen, the ransomware is released to encrypt the targeted device. 

This common Modus Operandi provides for two methods of extortion, allowing the ransomware operators to not only demand the ransom to receive a decryptor for the targeted device but also demand a separate ransom altogether to prevent the leaking of data that has been stolen.

In case a victim does not pay the demanded ransom, the creators of the RedAlert publish the stolen data on their data leak website for anyone to download.

How it all works

The ransomware’s Linux encryptor targets VMWare ESXi servers and allows the ransomware operators to shut down any running machines before the files on the same can be encrypted.

A peculiar attribute of the ransomware is when encrypting files, the ransomware only targets files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as shown below:

When the ransomware is run with the ‘-w’ argument, the Linux encryptor shuts down all running VMware ESXi virtual machines using the following esxcli command:

When further encrypting files, the ransomware uses the NTRUEncrypt public-key encryption algorithm, and it supports numerous “Parameter Sets” with varying levels of security.

The full list of command-line options can be seen below:

The ‘-x’ command-line option of ransomware, responsible for the ‘asymmetric cryptography performance testing’ using various NTRUEncrypt parameter configurations, is an intriguing feature of the same. It is still not known whether it is possible to force a specific parameter set to be used for encryption or whether the ransomware will choose a more effective one.

The only other ransomware known to have such similar characteristics is FiveHands.

In light of further findings by BleepingComputer, it is found that the ransomware would encrypt the files, append them through a certain code .crypt[number], and segregate them in folders. In these folders, one would find a ransom note named HOW_TO_RESTORE, which would have a description of the data that has been stolen and a link to a unique TOR browser-based website to pay for the ransom.

Encryption of files in Linux by the ransomware

The way such a website operates is much like the conventional TOR-based ransom payment website as it shows the demanded ransom and provides the victim with a way to negotiate with the ransomware operators. 

Ransom Note of N13V

What is also to be noted is that the said ransomware only accepts the ‘Monero cryptocurrency’ for payment, which is not commonly exchanged in American crypto exchanges because of it being a private coin.


As of now, only Linux encryption has been found in light of the investigations of the ransomware, but the ransom payment site has hidden elements showing a possibility that Windows decryptors may just also exist. While there has not been a lot of activity with the new N13V ransomware operation, it is one that we must keep an eye on due to its advanced functionality and immediate support for both Linux and Windows. 

As we get more exposed to new technologies, it is important for us to stay more cautious, be it big business or an individual’s data. Safety from such new-age threats is the need of the hour and must not be overlooked. If you are also someone who wants to protect their data from any sort of malwares then contact us as we are the best cyber security services provider globally.


Aman Nick

Leave a comment

Your email address will not be published. Required fields are marked *