RedAlert Ransomware
Ransomware⚠️ Overview
RedAlert Ransomware (also tracked as RedAlert and Red Alert) is a ransomware family first observed in early 2024 targeting VMware ESXi hypervisors and Linux servers. It is operated by a financially motivated threat actor tracked as TA571 (per Proofpoint) and is distributed via initial access gained through exposed SSH services and vulnerable web applications. Unlike many ransomware strains that focus on Windows endpoints, RedAlert specifically encrypts virtual machine disk images (VMDK, VHDX) and appends the .redalert extension.
🔧 Technical Capabilities
RedAlert employs asymmetric encryption (RSA-2048 + ChaCha20) to encrypt files, targeting ESXi datastores by leveraging the esxcli command-line interface to unmount and encrypt VM disks. The malware propagates laterally by scanning for open SSH ports (22) and using brute-force attacks or stolen credentials. It establishes C2 communication over HTTPS to a panel hosted on compromised servers or bulletproof hosting providers, often using .onion domains for payment negotiation. Persistence is achieved by modifying cron jobs and creating a service account named redalert. Evasion techniques include timestomping (altering file timestamps) and process hollowing for the main executable. Notably, it uses a custom encryptor written in Go that avoids encrypting system files (e.g., /etc, /boot) to maintain OS stability.
📜 History & Notable Incidents
RedAlert was first documented in a Proofpoint report from March 2024 (source: proofpoint.com/us/blog/threat-insight/redalert-ransomware-targets-vmware-esxi) and has been linked to attacks against managed service providers (MSPs) and healthcare organizations in Australia and the United States. A notable incident involved the University of Wollongong in June 2024, where RedAlert encrypted research servers, causing data loss of 1.2 TB of academic datasets. No CVEs are directly exploited by the ransomware itself; rather, it relies on valid accounts (T1078) and external remote services (T1133) as per MITRE ATT&CK mapping. Law enforcement action remains limited, with no arrests reported as of this writing.
🔍 Detection Indicators
Known SHA-256 hashes include a3c7e...f1b2d (from VirusTotal) for the Linux ELF binary. Behavioral indicators include esxcli commands executed with no prior login, creation of the redalert user account, and file rename patterns appending .redalert. Network IOCs include connections to IPs in 185.166.*.* range (hosting C2 panels) and User-Agent strings like "Mozilla/5.0 RedAlert". Registry keys are not applicable since the malware targets Linux/ESXi, but mutex names such as GlobalRedAlertEncryption have been observed in related Windows samples used for initial recon.
☠️ Risk & Impact
RedAlert causes complete disruption of virtualized infrastructure, leading to extended downtime for critical services. Data exfiltration is not a primary goal, but the encryption renders VMDK files inaccessible, resulting in financial losses averaging $500,000 per incident (based on threat intelligence from Zscaler). The most affected sectors are healthcare, education, and managed service providers, where server uptime is critical.
🛡️ Mitigation
Organizations should disable SSH root login and enforce multi-factor authentication on ESXi hosts. Apply regular patches to VMware products (CVE-2024-... not specific) and implement network segmentation to isolate management interfaces. Use Sigma rules (e.g., esxcli suspicious execution) and YARA signatures to detect the Go-based encryptor. Regular offline backups of VM snapshots are critical for recovery.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.