The developers of two newly emergent ransomware families, RedAlert and Monster, are using novel techniques to spread their attacks as widely as possible by exploiting multiple different operating systems (OSes) at the same time, according to research shared by cyber giant Kaspersky.
The use of multi-platform ransomwares is nothing new as such. Indeed, Kaspersky said it has been witnessing their “prolific use” this year.
The aim of such ransomwares is to be able to damage as many systems as possible by adapting their code to several OSes at once.
However, whereas other cross-platform ransomwares, such as Luna or BlackCat, use multiplatform languages such as Rust or Go/Golang, RedAlert and Monster are not written in a cross-platform language but retain the ability to target various OSes simultaneously.
“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” said Jornt van der Wiel, a senior security researcher on Kaspersky’s Global Research and Analysis Team (GReAT). “However, these days, cyber criminals learned to adjust their malicious code written in plain programming languages for joint attacks – making security specialists elaborate on ways to detect and prevent the ransomware attempts.”
RedAlert – which is also known as N13V – is coded in plain old C, or at least the Linux-targeting version Kaspersky dissected was, and explicitly targets both Windows and Linux-based VMware ESXi servers. It incorporates command line options that let its controllers seek out and shut off any running virtual machines (VMs) before encrypting files associated with ESXi VMs.
Its dark web site offers a decryptor for download that the group claims is available for all platforms, although Kaspersky has not been able to verify whether the decryptor is written in a cross-platform language. RedAlert otherwise uses fairly standard double extortion tactics.
A further noteworthy – albeit unrelated – point is that RedAlert only accepts ransom payments in the Monero cryptocurrency, which is not accepted in every country or by every exchange, making payments harder for the victim.
“Since the group is relatively young, we couldn’t find out a lot about the victimology, but RedAlert stands out as an interesting example of a group that managed to adjust their code written in C to different platforms,” the researchers said.
The Monster ransomware – first detected in July 2022 by Kaspersky’s Darknet monitoring system – is written in the general-purpose Delphi language that expands on different systems. However, this group stands out because it includes a graphical user interface (GUI), a component that no other known ransomware crew has ever implemented before.
Kaspersky admitted this feature was something of a puzzle to them. “This latter property is especially peculiar, as we do not remember seeing this before,” it said. “There are good reasons for this, because why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack?
“The ransomware authors must have realised this as well, since they included the GUI as an optional command-line parameter.”
More information on both these ransomwares, including various screenshots, as well as additional intelligence on the vulnerabilities used in their attacks, is available from Kaspersky.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
