Ransomware Red Alert (N13V) Targets Windows, Linux VMware ESXi Servers

Reverbtime Magazine

  • 0
  • 323
Scroll Down For More

Red Alert, or N13V as the group refers to itself, is a group that targets VMware, ESXi, Windows, and Linux servers using a human-operated encryptor. Unlike other groups where "malicious software" encrypts pre-selected data by extensions such as ".jpg," ".png," among other extensions.

Threat actors must be within your network and, usefully, must have administrator rights on the machine to deploy the payload. The encryptor has various flagging options for shutting down VMs, performing recursive actions, and more before encrypting data with the rarely seen NTRUEncrypt public key cryptographic system combined with ChaCha20.

Other ransomware that use NTRUEncrypt includes PolyVice from the Vice Society and FiveHands ransomware. The group also has a Tor payment site, similar to other ransomware group sites, as it displays the ransom demand and provides a way to negotiate with the ransomware group and pay the ransom.

Red Alert can infect both Windows and Linux systems, which is relatively rare for ransomware that typically focuses on one operating system. This makes it particularly dangerous in corporate environments where both operating systems are used.

The best defense against Red Alert includes robust security measures such as regular data backups, regular security updates, phishing awareness training for employees, and the use of advanced security solutions to detect and block malware before it can cause damage.

 

What to do if I am a target?

If you are targeted by a ransomware attack, here are some important steps to follow to minimize damage and attempt to recover your data:

1. Disconnect from the Internet: This can prevent the ransomware from spreading to other devices on the same network. Disconnect all affected devices from any Internet or local network connection.

2. Identify the Ransomware: Try to identify the variant of the ransomware. Tools like ID Ransomware can help you identify the ransomware family based on a ransom note, a specific file extension, or a sample of the encrypted file.

3. Report the Incident: Report to the competent authorities. Additionally, registering a police report can be important for insurance processes or future investigations.

4. Check for Decryption Possibility: Often, security researchers manage to break the encryption of certain ransomware variants and provide decryption tools for free. Sites like No More Ransom can provide decryption tools that can help recover your files without paying the ransom. Unfortunately, Red Alert ransomware does not yet have decryption tools, only specialized companies like Digital Recovery can recover the affected files.

5. Restore Files from a Backup: If you have backups of your files stored in a secure location (that has not been affected by the attack), you can restore your data from these backups. Make sure the system is clean of any malware before restoring the files.

6. Consult Security Professionals: If necessary, hire a cyber security incident response team or a data recovery specialized company to assist in the recovery process.

7. Prevention for the Future: After resolving the incident, it is crucial to take steps to prevent future attacks. This includes keeping all operating systems and software updated, conducting regular security awareness training for employees, using robust cybersecurity solutions, and maintaining an effective backup strategy.

8. Do Not Pay the Ransom: Although it may be tempting, paying the ransom does not guarantee that you will recover your data and may encourage criminals to continue their illicit activities. Additionally, payment may subject you to future attacks.

By following these steps, you can increase your chances of mitigating the damage from a ransomware attack and protecting your systems against future threats.

 

What to do after data recovery?

After dealing with a ransomware attack and taking immediate steps for mitigation and data recovery attempts, there are several additional steps you can follow to strengthen your security and better prepare for future incidents:

1. Post-Incident Analysis: Conduct a detailed analysis of the incident to understand how the attack happened, which vulnerabilities were exploited, and where defenses failed. This may include reviewing system logs, firewalls, and intrusion detection systems.

2. Security Reinforcement: Based on the analysis of the attack, implement additional security measures. This may include installing security updates, configuring stricter firewall rules, and using more robust anti-malware and anti-ransomware software.

3. Employee Training and Awareness: Continue to educate and train all employees on cybersecurity. Teach them to recognize phishing emails, suspicious links, and safe internet practices. Well-informed employees are one of the best defenses against ransomware and other types of cyberattacks.

4. Review and Improve Incident Response Plans: Refine your incident response plans based on the lessons learned from the attack. This may include implementing more effective communication protocols during a crisis, creating rapid response teams, and simulating attacks to test the organization's response.

5. Security Audits and Penetration Testing: Conduct regular security audits and penetration tests to identify and fix vulnerabilities before they can be exploited by attackers. These checks should be performed by internal teams or by external security consultants.

6. Backup and Recovery: Evaluate and improve your backup strategy. Ensure that backups are performed regularly, securely stored, and frequently tested to ensure they function properly in case of need.

7. Compliance and Regulation: Ensure that your security practices comply with local and international regulations. This may include data protection regulations like the GDPR in Europe.

8. Continuous Monitoring: Implement or enhance continuous monitoring of your IT environment to quickly detect suspicious or abnormal activities. Threat detection and response tools can be particularly helpful.

By implementing these measures, you not only increase the security of your IT environment but also enhance your ability to respond quickly and efficiently to future security incidents.

Related Posts
Comments 0
Leave A Comment