New ransomware is targeting Windows and Linux VMware ESXi servers – RedAlert/N13V

The ransomware was discovered by MalwareHunterTeam, who tweeted images of the malicious actor’s data leak webpage. The ransomware was called RedAlert as it has this name in the ransom note left for the victims, however, the criminals call their operation N13V, as we can see from the screenshots provided by the BleepingComputer website.

We know that ransomware is designated for VMware ESXi servers as it is targeting specific files, which belong to ESXi virtual machines, like log files, swap files, virtual disks, and memory files:

  • .log
  • .vmdk
  • .vmem
  • .vswp
  • .vmsn

In-depth video analysis of the ransomware here:

PS. Don’t forget to subscribe to my channel! Thanks and enjoy the video:

How to protect your environment?

There are few options for us to protect our virtual environments against not only ransomware software but all other malicious threads.

  1. Keep your strategic VM backed up. Yes, virtual machines. In the event of being a victim of ransomware, you can rebuild ESXi host and restore your VMs from backup.
  2. Have your network segmented. Always keep your ESXi hosts on a separate network from the network users browse the Internet.
  3. Disable SSH service.
  4. Keep your hosts in Lockdown mode.

Keeping services off and Lockdown mode on could be hard to police, especially if there are few administrators. Someone can change the settings for troubleshooting purposes and forget to put every security measure back in place.

Therefore today I am going to show you two short PowerShell scripts, to keep SSH off and Lockdown mode on. You can use them to build one script or run them separately as a daily job to keep everything under control. In my case, those two small scripts are part of one big script where I put all hardening recommendations.

$vmhosts = get-vmhost | where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"}
$ssh = $vmhosts | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"}
$sshon = $ssh | where {$_.Running -eq "True"}
$sshon | stop-vmhostservice -confirm:$false
$sshon | set-vmhostservice -policy "Off" -Confirm:$false

$lockesx = get-vmhost 
foreach ($lock in $lockesx) {
    $HostAccessManager = Get-View $lock.ExtensionData.ConfigManager.HostAccessManager
    if (get-view $lock.extensiondata.configmanager.HostAccessManager | where lockdownmode -ne lockdownNormal) {
        (get-vmhost $lock | get-view).EnterLockdownMode()


Please like and share to spread the knowledge in the community.

Subscribe to my channel:

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group:

Visit my FB page:

Read my blog:

Subscribe to my channel:

Please leave the comment