Skip links

New ransomware hits Windows, Linux servers of Chile govt agency



Chile’s national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country.

The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency.

The hackers stopped all running virtual machines and encrypted their files, appending the “.crypt” filename extension.

“The ransomware would use the NTRUEncrypt public key encryption algorithm, targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (. vmdk), snapshot (.vmsn) files, and virtual machine memory (.vmem) files, among others,” – Chile CSIRT

According to CSIRT, the malware used in this attack also had functions for stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts.

In typical double-extortion fashion, the intruders offered Chile’s CSIRT a communication channel to negotiate the payment of a ransom that would prevent leaking the files and unlock the encrypted data.

The attacker set a three-day deadline and threatened to sell the stolen data to other cybercriminals on the dark web.

Attribution unclear

Chile’s CSIRT announcement doesn’t name the ransomware group is responsible for the attack, nor does it provide sufficient details that woul lead to identifying the malware.

The extension appended to the encrypted files does not offer any hint because it has been used by multiple threat actors.

While the little information Chile’s CSIRT provided on the behavior of the malware points to ‘RedAlert’ ransomware (aka “N13V”), an operation launched in July 2022, technical details suggest otherwise.

RedAlert ransomware used the “.crypt” extension in attacks, targets both Windows servers and Linux VMWare ESXi machines, is capable to force-stop all running VMs prior to encryption, and uses the NTRUEncrypt public-key encryption algorithm.

However, the indicators of compromise (IoCs) in Chile’s CSIRT announcement are either associated with Conti or are return an inconclusive result when fed to automated analysis systems.

Conti has been previously linked to attacks on entire nations, such as the one on Costa Rica in July 2022, which took five days from gaining initial access to stealing and encrypting the systems.

Chilean threat analyst Germán Fernández told BleepingComputer that the strain appears to be entirely new, and the researchers he talked to couldn’t associate the malware with known families.

Fernandez also commented that the ransom note wasn’t generated during the infection, a detail that BleepingComputer can confirm. The researcher said that the note was delivered before deploying the file-locking malware.

“One particular thing about the attack, is that the threat actors distributed the ransom note at a previous stage to the deployment of the ransomware as the final payload, possibly for evasion issues or to avoid having their contact details leaked when sharing the final sample.” – Germán Fernández

BleepingComputer was able to analyze multiple samples of the malware used for the attack and retrieved a ransom note named ‘readme_for_unlock.txt‘, seen below:

Ransom note of unidentified threat actor

All ransom notes that BleepingComputer has seen when analyzing this ransomware strain include a link to a unique website in the Tor network along with a password to log in.

As far as we’ve seen a data leak site for this ransomware does not exist, yet. The Tor site is for showing a message box where victims can contact the hackers.

Communication channel with the hackers
source: BleepingComputer

Accessing the above communication channel requires a password, which is included in the ransom note.

The malware configures itself to launch on Windows login and uses the name SecurityUpdate at startup.

Registry key added to launch at startup
source: BleepingComputer

From what BleepingComputer could learn so far about this ransomware, this is a new operation that launched at the beginning of August.

Chile’s cybersecurity organization recommends all state entities as well as large private organizations in the country to apply the following measures:

Use a properly configured firewall and antivirus tool
Update VMware and Microsoft assets
Keep backups of most important data
Verify the configuration of anti-spam filters and train employees to recognize malicious email
Implement network segmentation and apply the principle of least privilege
Stay informed about new vulnerabilities that need immediate patching or mitigation

Chile CSIRT has provided a set of indicators of compromise for files used in the attack that defenders can use to protect their organizations.

Adblock test (Why?)