Red Alert, or N13V as the group refers to itself, is a group
that targets VMware, ESXi, Windows, and Linux servers using a human-operated encryptor.
Unlike other groups where "malicious software" encrypts pre-selected
data by extensions such as ".jpg," ".png," among other
extensions.
Threat actors must be within your network and, usefully,
must have administrator rights on the machine to deploy the payload. The
encryptor has various flagging options for shutting down VMs, performing
recursive actions, and more before encrypting data with the rarely seen
NTRUEncrypt public key cryptographic system combined with ChaCha20.
Other ransomware that use NTRUEncrypt includes PolyVice from
the Vice Society and FiveHands ransomware. The group also has a Tor payment
site, similar to other ransomware group sites, as it displays the ransom demand
and provides a way to negotiate with the ransomware group and pay the ransom.
Red Alert can infect both Windows and Linux systems, which
is relatively rare for ransomware that typically focuses on one operating
system. This makes it particularly dangerous in corporate environments where
both operating systems are used.
The best defense against Red Alert includes robust security
measures such as regular data backups, regular security updates, phishing
awareness training for employees, and the use of advanced security solutions to
detect and block malware before it can cause damage.
What to do if I am a target?
If you are targeted by a ransomware attack, here are some
important steps to follow to minimize damage and attempt to recover your data:
1. Disconnect from the Internet: This can prevent the
ransomware from spreading to other devices on the same network. Disconnect all
affected devices from any Internet or local network connection.
2. Identify the Ransomware: Try to identify the variant of
the ransomware. Tools like ID Ransomware can help you identify the ransomware
family based on a ransom note, a specific file extension, or a sample of the
encrypted file.
3. Report the Incident: Report to the competent
authorities. Additionally, registering a police report can be important for
insurance processes or future investigations.
4. Check for Decryption Possibility: Often, security
researchers manage to break the encryption of certain ransomware variants and
provide decryption tools for free. Sites like No More Ransom can provide
decryption tools that can help recover your files without paying the ransom.
Unfortunately, Red Alert ransomware does not yet have decryption tools, only
specialized companies like Digital Recovery can recover the affected files.
5. Restore Files from a Backup: If you have backups of
your files stored in a secure location (that has not been affected by the
attack), you can restore your data from these backups. Make sure the system is
clean of any malware before restoring the files.
6. Consult Security Professionals: If necessary, hire a
cyber security incident response team or a data recovery specialized company to assist in the recovery process.
7. Prevention for the Future: After resolving the incident,
it is crucial to take steps to prevent future attacks. This includes keeping
all operating systems and software updated, conducting regular security
awareness training for employees, using robust cybersecurity solutions, and
maintaining an effective backup strategy.
8. Do Not Pay the Ransom: Although it may be tempting,
paying the ransom does not guarantee that you will recover your data and may
encourage criminals to continue their illicit activities. Additionally, payment
may subject you to future attacks.
By following these steps, you can increase your chances of
mitigating the damage from a ransomware attack and protecting your systems
against future threats.
What to do after data recovery?
After dealing with a ransomware attack and taking immediate
steps for mitigation and data recovery attempts, there are several additional
steps you can follow to strengthen your security and better prepare for future
incidents:
1. Post-Incident Analysis: Conduct a detailed analysis
of the incident to understand how the attack happened, which vulnerabilities
were exploited, and where defenses failed. This may include reviewing system
logs, firewalls, and intrusion detection systems.
2. Security Reinforcement: Based on the analysis of the
attack, implement additional security measures. This may include installing
security updates, configuring stricter firewall rules, and using more robust
anti-malware and anti-ransomware software.
3. Employee Training and Awareness: Continue to educate
and train all employees on cybersecurity. Teach them to recognize phishing
emails, suspicious links, and safe internet practices. Well-informed employees
are one of the best defenses against ransomware and other types of
cyberattacks.
4. Review and Improve Incident Response Plans: Refine
your incident response plans based on the lessons learned from the attack. This
may include implementing more effective communication protocols during a
crisis, creating rapid response teams, and simulating attacks to test the
organization's response.
5. Security Audits and Penetration Testing: Conduct
regular security audits and penetration tests to identify and fix
vulnerabilities before they can be exploited by attackers. These checks should
be performed by internal teams or by external security consultants.
6. Backup and Recovery: Evaluate and improve your backup
strategy. Ensure that backups are performed regularly, securely stored, and
frequently tested to ensure they function properly in case of need.
7. Compliance and Regulation: Ensure that your security
practices comply with local and international regulations. This may include
data protection regulations like the GDPR in Europe.
8. Continuous Monitoring: Implement or enhance
continuous monitoring of your IT environment to quickly detect suspicious or
abnormal activities. Threat detection and response tools can be particularly
helpful.
By implementing these measures, you not only increase the
security of your IT environment but also enhance your ability to respond quickly
and efficiently to future security incidents.