{
	"id": "5132c409-21d1-4f07-aa66-1db8f6e8d17d",
	"created_at": "2026-04-06T00:15:55.609799Z",
	"updated_at": "2026-04-10T03:21:26.269818Z",
	"deleted_at": null,
	"sha1_hash": "7dc9d8176045c46491911e3af05c2fff4fd7e6b3",
	"title": "New RedAlert Ransomware targets Windows, Linux VMware ESXi servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2491970,
	"plain_text": "New RedAlert Ransomware targets Windows, Linux VMware ESXi\r\nservers\r\nBy Lawrence Abrams\r\nPublished: 2022-07-05 · Archived: 2026-04-02 11:55:47 UTC\r\nA new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks\r\non corporate networks.\r\nThe new operation was discovered today by MalwareHunterTeam, who tweeted various images of the gang's data leak site.\r\nThe ransomware has been called 'RedAlert' based on a string used in the ransom note. However, from a Linux encryptor\r\nobtained by BleepingComputer, the threat actors call their operation 'N13V' internally, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 1 of 8\n\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nRedAlert / N13V ransomware command-line options\r\nSource: BleepingComputer\r\nThe Linux encryptor is created to target VMware ESXi servers, with command-line options that allow the threat actors to\r\nshut down any running virtual machines before encrypting files.\r\nThe full list of command-line options can be seen below.\r\n-w Run command for stop all running VM`s\r\n-p Path to encrypt (by default encrypt only files in directory, not include subdirectories)\r\n-f File for encrypt\r\n-r Recursive. used only with -p ( search and encryption will include subdirectories )\r\n-t Check encryption time(only encryption, without key-gen, memory allocates ...)\r\n-n Search without file encryption.(show ffiles and folders with some info)\r\n-x Asymmetric cryptography performance tests. DEBUG TESTS\r\n-h Show this message\r\nWhen running the ransomware with the ' -w ' argument, the Linux encryptor will shut down all running VMware ESXi\r\nvirtual machines using the following esxcli command:\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | tail -n +2 | awk -F $',' '{system(\"\r\nWhen encrypting files, the ransomware utilizes the NTRUEncrypt public-key encryption algorithm, which support various\r\n'Parameter Sets' that offer different levels of security.\r\nAn interesting feature of RedAlert/N13V is the '-x' command-line option that performs 'asymmetric cryptography\r\nperformance testing' using these different NTRUEncrypt parameter sets. However, it is unclear if there is a way to force a\r\nparticular parameter set when encrypting and/or if the ransomware will select a more efficient one.\r\nThe only other ransomware operation known to use this encryption algorithm is FiveHands.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 3 of 8\n\nNTRUEncrypt encryption speed test\r\nSource: BleepingComputer\r\nWhen encrypting files, the ransomware will only target files associated with VMware ESXi virtual machines, including log\r\nfiles, swap files, virtual disks, and memory files, as listed below.\r\n.log\r\n.vmdk\r\n.vmem\r\n.vswp\r\n.vmsn\r\nIn the sample analyzed by BleepingComputer, the ransomware would encrypt these file types and append\r\nthe .crypt[number] extension to the file names of encrypted files.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 4 of 8\n\nEncrypting files in Linux with RedAlert\r\nSource: BleepingComputer\r\nIn each folder, the ransomware will also create a custom ransom note named HOW_TO_RESTORE, which contains a\r\ndescription of the stolen data and a link to a unique TOR ransom payment site for the victim.\r\nRed Alert / N13V ransom note\r\nSource: BleepingComputer\r\nThe Tor payment site is similar to other ransomware operation sites as it displays the ransom demand and provides a way to\r\nnegotiate with the threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 5 of 8\n\nHowever, RedAlert/N13V only accepts the Monero cryptocurrency for payment, which is not commonly sold in USA crypto\r\nexchanges because it is a privacy coin.\r\nRedAlert / N13V Tor negotiation site\r\nSource: BleepingComputer\r\nWhile only a Linux encryptor has been found, the payment site has hidden elements showing that Windows decryptors also\r\nexist.\r\n\"Board of Shame\"\r\nLike almost all new enterprise-targeting ransomware operations, RedAlert conducts double-extortion attacks, which is when\r\ndata is stolen, and then ransomware is deployed to encrypt devices.\r\nThis tactic provides two extortion methods, allowing the threat actors to not only demand ransom to receive a decryptor but\r\nalso demand one to prevent the leaking of stolen data.\r\nWhen a victim does not pay a ransom demand, the RedAlert gang publishes stolen data on their data leak site that anyone\r\ncan download.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 6 of 8\n\nRedAlert / N13V Data Leak Site\r\nSource: BleepingComputer\r\nCurrently, the RedAlert data leak site only contains the data for one organization, indicating that the operation is very new.\r\nWhile there has not been a lot of activity with the new N13V/RedAlert ransomware operation, it is one that we will\r\ndefinitely need to keep an eye on due to its advanced functionality and immediate support for both Linux and Windows.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 7 of 8\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nhttps://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/"
	],
	"report_names": [
		"new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434555,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dc9d8176045c46491911e3af05c2fff4fd7e6b3.pdf",
		"text": "https://archive.orkl.eu/7dc9d8176045c46491911e3af05c2fff4fd7e6b3.txt",
		"img": "https://archive.orkl.eu/7dc9d8176045c46491911e3af05c2fff4fd7e6b3.jpg"
	}
}