The developers of two newly emerging data hijacking families, RedAlert and Monster, are using novel techniques to spread their attacks as widely as possible by exploiting multiple different operating systems (OS) at the same time, according to research shared by the cyber giant kaspersky.
The use of cross-platform ransomware is nothing new as such. In fact, Kaspersky said that he has witnessed its “prolific use” this year.
The goal of these ransomware is to be able to damage as many systems as possible by adapting their code to several operating systems at the same time.
However, while other cross-platform ransomware, like moon either Black catuses cross-platform languages like Oxide either go/goRedAlert and Monster are not written in a cross-platform language but retain the ability to target multiple operating systems simultaneously.
“We have become quite used to ransomware groups deploying malware written in a cross-platform language,” said Jornt van der Wiel, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “These days, however, cybercriminals have learned to tweak their malicious code written in simple programming languages for joint attacks, prompting security specialists to come up with ways to detect and prevent ransomware attempts.”
RedAlert, which is also known as N13V, is encoded in simple C, or at least the Linux-targeted version that Kaspersky analyzed, and explicitly targets Windows and Linux-based VMware ESXi servers. It incorporates command line options that allow its drivers to scan for and shut down any running virtual machines (VMs) before encrypting files associated with ESXi VMs.
Its dark website offers a decryptor for download that the group says is available for all platforms, though Kaspersky has not been able to verify whether the decryptor is written in a cross-platform language. RedAlert uses otherwise pretty standard double extortion tactics.
Another noteworthy but unrelated point is that RedAlert only accepts ransom payments in the Monero cryptocurrency, which is not accepted in all countries or exchanges, making payments difficult for the victim.
“Since the group is relatively young, we weren’t able to find out much about victimology, but RedAlert stands out as an interesting example of a group that managed to tweak their C code to different platforms,” the researchers said.
Monster ransomware, first detected in July 2022 by Kaspersky’s Darknet monitoring system, is written in the general purpose delphic language that spreads across different systems. However, this group stands out because it includes a graphical user interface (GUI), a component that no other known ransomware team has implemented before.
Kaspersky admitted that they found this feature somewhat disconcerting. “This last property is especially peculiar, as we don’t remember seeing it before,” he said. “There are good reasons for this, because why would one go out of their way to implement this when most ransomware attacks are executed via the command line in an automated fashion during a targeted attack?
“The ransomware authors must have realized this as well, as they included the GUI as an optional command line parameter.”
Learn more about these two ransomware, including several screenshots, as well as additional intelligence on the vulnerabilities used in their attacks. is available on Kaspersky.