Home / Threat Intelligence bulletins / New RedAlert ransomware


RedAlert is a new ransomware operation, using the double-extortion model, where victims are charged once for a key to access their files and then pressured to pay again to keep the gang from sharing their files (though some gangs then go ahead and sell the secrets anyway).

Not a lot of information has emerged about the group yet but their darknet blog shows they’ve already been successful in some of their attempts.


ESXi-based ransomware like this one will pause and then encrypt entire virtual machines, virtual memory, swap files, disks and log files, making recovery difficult.

Affected Products

Microsoft Windows Linux VMware ESXi.

Containment, Mitigations & Remediations

Normal ransomware mitigations are advised. Administrators should use network controls to limit access to administration interfaces and ensure that regular backups are kept.

Indicators of Compromise

None listed.

Threat Landscape

Targeting ESXi is becoming a common tactic for ransomware operators as it provides a single point of access to much of a victim’s infrastructure.

Mitre Methodologies

T1486 – Data Encrypted for Impact

Further Information

MalwareHunterTeam on Twitter

New RedAlert Ransomware targets Windows, Linux VMware ESXi servers