How can we help?
RedAlert is a new ransomware operation, using the double-extortion model, where victims are charged once for a key to access their files and then pressured to pay again to keep the gang from sharing their files (though some gangs then go ahead and sell the secrets anyway).
Not a lot of information has emerged about the group yet but their darknet blog shows they’ve already been successful in some of their attempts.
ESXi-based ransomware like this one will pause and then encrypt entire virtual machines, virtual memory, swap files, disks and log files, making recovery difficult.
Microsoft Windows Linux VMware ESXi.
Containment, Mitigations & Remediations
Normal ransomware mitigations are advised. Administrators should use network controls to limit access to administration interfaces and ensure that regular backups are kept.
Indicators of Compromise
Targeting ESXi is becoming a common tactic for ransomware operators as it provides a single point of access to much of a victim’s infrastructure.
T1486 – Data Encrypted for Impact