Chile’s national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country.
The attack which started on August 25, targeted Microsoft and VMware ESXi servers operated by the agency.
The hackers stopped all running virtual machines and encrypted their files, appending the “.crypt” filename extension.
According to CSIRT, the malware used in this attack is also capable of stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts.
The hackers offered Chile’s CSIRT a communication channel to negotiate the payment of a ransom in order to prevent leaking the files and unlock the encrypted data.
The attacker set a three-day deadline and threatened to sell the stolen data to other cybercriminals on the dark web.
The government did not reveal the ransomware group which is responsible for the attack and also did not provide sufficient details to identify the malware.
From the little information Chile’s CSIRT provided on the behavior of the malware points to ‘RedAlert’ ransomware (aka “N13V”), an operation launched in July 2022.
RedAlert ransomware used the “.crypt” extension in attacks, targets both Windows servers and Linux VMWare ESXi machines, is capable to force-stop all running VMs prior to encryption, and uses the NTRUEncrypt public-key encryption algorithm.
However, the indicators of compromise (IoCs) in Chile’s CSIRT announcement are either associated with Conti. Conti has been previously linked to attacks on entire nations.
According to a Chilean threat analyst Germán Fernández, the strain appears to be entirely new, and the researchers he contacted could not associate the malware with known families.
Chile’s cybersecurity organization recommends all state entities as well as large private organizations in the country to take necessary precautionary measures.
Chile CSIRT has also provided a set of indicators of compromise for files used in the attack that defenders can use to protect their organizations.
The post Windows, Linux servers of Chile govt agency hit by ransomware first appeared on Cybersafe News.