The developers of two newly emergent ransomware families, RedAlert and Monster, are using novel techniques to spread their attacks as widely as possible by exploiting multiple different operating systems (OSes) at the same time, according to research shared by cyber giant Kaspersky.
The use of multi-platform ransomwares is nothing new as such. Indeed, Kaspersky said it has been witnessing their “prolific use” this year.
The aim of such ransomwares is to be able to damage as many systems as possible by adapting their code to several OSes at once.
However, whereas other cross-platform ransomwares, such as Luna or BlackCat, use multiplatform languages such as Rust or Go/Golang, RedAlert and Monster are not written in a cross-platform language but retain the ability to target various OSes simultaneously.
“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” said Jornt van der Wiel, a senior security researcher on Kaspersky’s Global Research and Analysis Team (GReAT). “However, these days, cyber criminals learned to adjust their malicious code written in plain programming languages for joint attacks – making security specialists elaborate on ways to detect and prevent the ransomware attempts.”
RedAlert – which is also known as N13V – is coded in plain old C, or at least the Linux-targeting version Kaspersky dissected was, and explicitly targets both Windows and Linux-based VMware ESXi servers. It incorporates command line options that let its controllers seek out and shut off any running virtual machines (VMs) before encrypting files associated with ESXi VMs.
Its dark web site offers a decryptor for download that the group claims is available for all platforms, although Kaspersky has not been able to verify whether the decryptor is written in a cross-platform language. RedAlert otherwise uses fairly standard double extortion tactics.
A further noteworthy – albeit unrelated – point is that RedAlert only accepts ransom payments in the Monero cryptocurrency, which is not accepted in every country or by every exchange, making payments harder for the victim.
“Since the group is relatively young, we couldn’t find out a lot about the victimology, but RedAlert stands out as an interesting example of a group that managed to adjust their code written in C to different platforms,” the researchers said.
The Monster ransomware – first detected in July 2022 by Kaspersky’s Darknet monitoring system – is written in the general-purpose Delphi language that expands on different systems. However, this group stands out because it includes a graphical user interface (GUI), a component that no other known ransomware crew has ever implemented before.
Kaspersky admitted this feature was something of a puzzle to them. “This latter property is especially peculiar, as we do not remember seeing this before,” it said. “There are good reasons for this, because why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack?
“The ransomware authors must have realised this as well, since they included the GUI as an optional command-line parameter.”
More information on both these ransomwares, including various screenshots, as well as additional intelligence on the vulnerabilities used in their attacks, is available from Kaspersky.