Chile’s national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country.
The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency.
The hackers stopped all running virtual machines and encrypted their files, appending the “.crypt” filename extension.
“The ransomware would use the NTRUEncrypt public key encryption algorithm, targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (. vmdk), snapshot (.vmsn) files, and virtual machine memory (.vmem) files, among others,” – Chile CSIRT
According to CSIRT, the malware used in this attack also had functions for stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts.
In typical double-extortion fashion, the intruders offered Chile’s CSIRT a communication channel to negotiate the payment of a ransom that would prevent leaking the files and unlock the encrypted data.
The attacker set a three-day deadline and threatened to sell the stolen data to other cybercriminals on the dark web.
Chile’s CSIRT announcement doesn’t name the ransomware group is responsible for the attack, nor does it provide sufficient details that woul lead to identifying the malware.
The extension appended to the encrypted files does not offer any hint because it has been used by multiple threat actors.
While the little information Chile’s CSIRT provided on the behavior of the malware points to ‘RedAlert’ ransomware (aka “N13V”), an operation launched in July 2022, technical details suggest otherwise.
RedAlert ransomware used the “.crypt” extension in attacks, targets both Windows servers and Linux VMWare ESXi machines, is capable to force-stop all running VMs prior to encryption, and uses the NTRUEncrypt public-key encryption algorithm.
However, the indicators of compromise (IoCs) in Chile’s CSIRT announcement are either associated with Conti or are return an inconclusive result when fed to automated analysis systems.
Conti has been previously linked to attacks on entire nations, such as the one on Costa Rica in July 2022, which took five days from gaining initial access to stealing and encrypting the systems.
Chilean threat analyst Germán Fernández told BleepingComputer that the strain appears to be entirely new, and the researchers he talked to couldn’t associate the malware with known families.
Fernandez also commented that the ransom note wasn’t generated during the infection, a detail that BleepingComputer can confirm. The researcher said that the note was delivered before deploying the file-locking malware.
“One particular thing about the attack, is that the threat actors distributed the ransom note at a previous stage to the deployment of the ransomware as the final payload, possibly for evasion issues or to avoid having their contact details leaked when sharing the final sample.” – Germán Fernández
BleepingComputer was able to analyze multiple samples of the malware used for the attack and retrieved a ransom note named ‘readme_for_unlock.txt’, seen below:
Ransom note of unidentified threat actor
All ransom notes that BleepingComputer has seen when analyzing this ransomware strain include a link to a unique website in the Tor network along with a password to log in.
As far as we’ve seen a data leak site for this ransomware does not exist, yet. The Tor site is for showing a message box where victims can …….