Four new ransomware groups to be aware of

Share post:

With law enforcement and intelligence agencies in many countries hunting ransomware gangs, it’s no surprise some veteran groups are reportedly disbanding, laying low, or abandoning their brands and starting with new names. Yet despite this attention from authorities, new players are still emerging, as two recent reports illustrate.

A report by researchers at U.S.-based Cyble identifies three new groups not believed to be associated with existing ones. The report also includes indicators of compromise for each strain. The three are:

RedAlert, which targets both Windows and Linux VMware ESXi servers on corporate networks. The ransomware stops all running virtual machines and encrypts any file related to virtual machines, such as virtual disks, the report notes. It’s named after a string with the same name in the ransom note, but threat actors named their campaign “N13V”. RedAlert only accepts ransom payments in Monero, which is rather atypical for ransomware groups, the report says.

The threat actors behind it run the ransomware manually, meaning it is executed after a complete takeover of a victim’s system. The ransomware binary provides various options for performing pre-encryption operations such as stopping all virtual machines running on VMware ESXi, Asymmetric cryptography performance tests, etc.

The ransomware uses the NTRUEncrypt public key encryption algorithm for encryption, targeting log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. After encryption the ransomware appends a  “.crypt[Random number]” extension to the file;

Omega is suspected of targeting organizations using double extortion techniques, meaning the group behind it steals data before encrypting victims’ servers and then threatens to sell the copied data unless the victim pays for decryption keys. The indicators of compromise of this ransomware strain are unavailable in the wild;

Lilith ransomware, which gets its name from appending the extension of encrypted files with “.lilith.” Victims are given three days to negotiate the price for the decryption software. Failing that the threat actor threatens to start leaking copied personal data.

Researchers note Lilith malware can affect many file types and render them completely unusable.

Luna ransomware. This morning Kaspersky released a report on this new strain, which is written in Rust and runs on Windows, Linux and ESXi systems.

To fight ransomware, Cyble urges CISOs to

  • conduct regular backup practices and keep those backups offline or in a separate network;
  • turn on the automatic software update feature on all computers, mobile and other connected devices wherever possible and pragmatic;
  • use a reputable anti-virus and internet security software package on all corporate-owned connected devices;
  • educate staff to refrain from opening untrusted links and email attachments without verifying their authenticity.

According to Q2 research this month from Cyberint, the most successfully deployed ransomware, as measured by claims on threat actors’ data leak sites, was LockBit, followed by BlackCat (AlphV), Black Basta, Conti and Vice Society.

During the second quarter, Conti officially shut down its infrastructure, but researchers believe its members are supporting other groups. However, says Cyberint, it suffered what appears to have been a mortal blow when a Ukrainian security researcher infiltrated the group’s infrastructure and leaked a trove of information, including online conversations, personnel information, tools, and their product’s source code.

The post Four new ransomware groups to be aware of first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways