Ransomware - RedAlert

RedAlert
Aliases
N13V
Decryptor Available
No
Description

RedAlert, or N13V as the group calls themselves, is a ransomware group that attacks both Windows and Linux VMWare ESXi servers using a human-operated encryptor. In other words, the threat actors must be inside your network and, based on the payload, must have admin rights on the machine to deploy the payload. The encryptor has various flag options to shut down VMs, perform recursive actions, and much more before encrypting data with the rarely seen NTRUEncrypt public key cryptosystem combined with ChaCha20. Some other ransomware that uses NTRUEncrypt is PolyVice from Vice Society and FiveHands ransomware.

The first submission to VirusTotal was July 5, 2022, and the first extortion was publicly reported around the same time. As such, the group probably began operations around that time before concluding operations at the end of the same calendar year. During operations, the group performed double extortion attacks and leaked data on their Darkweb domain. They claimed six victims, but a ransomware sample exposed another alleged victim for a total of 7. They demanded ransoms in Monero (XMR), a well-known privacy coin, totaling six figures in US dollars. To ensure they received their ransoms, they performed a variety of blackmail methodologies, including free data leaks, ransom discounts (or increases if not paid), DDoS attacks, and even calling the employees of their victims. To make matters worse, N13V is known to have ransomed nonprofit groups, including one that worked with individuals with disabilities.

Ransomware Type
Crypto-Ransomware
HumOR
First Seen
Last Seen
Threat Actors
Type
Actor
Cybergroup
N13V
Extortion Types
DoS
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Victim Employee Communication
Extortion Amounts
Amount
1325.1200XMR($160,000)
1656.4000XMR($200,000)
Encryption
Type
Hybrid
Files
ChaCha20
Key
NTRUEncrypt
Crypto Wallets
Blockchain Type
Crypto Wallet
XMR
8ACXEsCf1iSSFm6czaRWz7RKLzKAPbTX2R9U1NGtYy5RUqrfHKsGRPqRNEEkFuxqTuMAkfj6wcKzp6eqT12PwXgJQxbVz6W
File Extension
<file name>.crypt658
<file name>.crypt[random number]
Ransom Note Name
HOW_TO_RESTORE.txt
Ransom Note Image
Samples (SHA-256)
039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09
Industry Sector Country Extortion Date Amount (USD)
Real Estate & HousingAustria
Construction & ArchitectureFinland
Information TechnologyFrance
LegalUnited Kingdom
HospitalityUnited States
InsuranceUnited States
Construction & ArchitectureSpain