New ransomware hits Windows, Linux servers of Chile govt agency – BleepingComputer

Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attackhas impacted operations and online services of a government agency in the country.

The attack startedon Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency.

The hackersstopped all running virtual machines and encrypted their files, appending the ".crypt" filename extension.

"The ransomware would use the NTRUEncrypt public key encryption algorithm, targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (. vmdk), snapshot (.vmsn) files, and virtual machine memory (.vmem) files, among others," -Chile CSIRT

According to CSIRT, the malware used in this attack also had functions forstealing credentials from web browsers, list removabledevices for encryption, and evade antivirus detection using execution timeouts.

In typical double-extortion fashion, the intruders offered Chile'sCSIRT a communication channel to negotiate the payment of a ransom that would prevent leaking the files and unlock the encrypted data.

The attacker set a three-day deadline and threatened to sell the stolen data to other cybercriminalson the dark web.

Chile's CSIRTannouncement doesn't name the ransomware group is responsible for the attack, nor does it provide sufficient details that woul lead to identifying the malware.

The extension appended to the encrypted files does not offer any hint because it has been used by multiple threat actors.

While the little information Chile's CSIRTprovided on the behavior of the malware points to'RedAlert' ransomware (aka "N13V"), an operation launched in July 2022, technical details suggest otherwise.

RedAlert ransomwareusedthe ".crypt" extension in attacks, targets both Windows servers and Linux VMWare ESXi machines, is capable to force-stop all running VMs prior to encryption, and uses the NTRUEncrypt public-key encryption algorithm.

However, the indicators of compromise (IoCs) in Chile's CSIRT announcement are either associated with Contior are return an inconclusive result when fed to automated analysis systems.

Conti has been previously linked to attacks on entire nations, such as the one onCosta Ricain July 2022, which took five days from gaining initial access to stealing and encrypting the systems.

Chilean threat analyst Germn Fernndeztold BleepingComputer that the strain appears to be entirely new, and the researchers he talked to couldn't associate the malware with known families.

Fernandez also commented that the ransom note wasn't generated during the infection, a detail that BleepingComputercan confirm. The researcher said that the note was delivered before deploying the file-locking malware.

"One particular thing about the attack, is that the threat actors distributed the ransom note at a previous stage to the deployment of the ransomware as the final payload, possibly for evasion issues or to avoid having their contact details leaked when sharing the final sample." -Germn Fernndez

BleepingComputerwas able to analyze multiple samples of the malware used for the attack and retrieved a ransom note named 'readme_for_unlock.txt', seen below:

All ransom notes that BleepingComputer has seen when analyzing this ransomware strain includea link to a unique website in the Tor network along with a password to log in.

As far as we've seen a data leak site for this ransomware does not exist, yet. The Tor site is for showing a message box where victims can contact the hackers.

Accessing the above communication channel requires a password, which is included in the ransom note.

The malware configures itself to launch on Windows login and uses the name SecurityUpdateat startup.

From what BleepingComputer could learn so far about this ransomware, this is a new operation that launched at the beginning of August.

Chile's cybersecurity organization recommends all state entities as well as large private organizations in the country to apply the following measures:

Chile CSIRT has provided a set of indicators of compromise for files used in the attackthat defenders can use to protect their organizations.

Read more from the original source:
New ransomware hits Windows, Linux servers of Chile govt agency - BleepingComputer