RedAlert (aka N13V), a new ransomware threat, has been found, that encrypts both Windows and Linux VMWare ESXi servers.

About RedAlert ransomware

The new ransomware was discovered by MalwareHunterTeam, who also tweeted multiple images of its data leak site. 
  • The ransomware is called RedAlert because of a string used in the ransom note. However, in the Linux encrypter version, the attackers are calling their operation N13V internally.
  • The Linux encryptor is designed to target VMware ESXi servers, with command-line options allowing the attackers to shut down any running virtual machines before locking files.
  • Similar to other enterprise-targeting ransomware operations, RedAlert carries out double-extortion attacks, in which data is stolen and then ransomware is deployed to encrypt devices.

What happens next

The ransomware only targets files associated with VMware ESXi virtual machines, including memory files, log files, virtual disks, and swap files. 
  • The ransomware encrypts these file types and adds the .crypt658 extension to the file names.
  • In each folder, the ransomware creates a custom ransom note named HOW_TO_RESTORE, including a description of the stolen data and a link to a TOR ransom payment site.

Technical details

One of the features of RedAlert/N13V is the '-x' command-line option that carries out asymmetric cryptography performance testing with the use of different NTRUEncrypt parameter sets.
  • During encryption, the ransomware makes use of the NTRUEncrypt public-key encryption algorithm, which supports different 'Parameter Sets' offering various levels of security.
  • Besides RedAlert, the only other ransomware known for using this method of encryption is the FiveHands ransomware.


At present, RedAlert shows only one organization as a victim, which could change in the near future. Moreover, support for both Windows and  Linux suggests that the malware aims to target a wider attack surface. Thus, organizations are suggested to keep an eye on this threat. Always protect sensitive information with encryption and proper access controls.
Cyware Publisher