Skip to content
Ransomware group

RedAlert

RedAlert is Linux ransomware that targets VMware ESXi servers.

Profile source: Ransomware.live opens in a new tab

RedAlert

Family profile

RedAlert is Linux ransomware that targets VMware ESXi servers. Reporting notes code overlap with PolyVice and adoption by Vice Society. This profile excludes the unrelated Android malware distributed as a fake emergency-alert application.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning RedAlert

Mar 27
The Hacker News

Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

Vice Society ... has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.

Mar 3
Cyble

Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

"One of the most technically significant artifacts of March 1 was a malicious RedAlert APK ... Designed to mimic Israel’s official missile alert app ... Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti-analysis protections"

Mar 3
Cyble

Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

One of the most technically significant artifacts of March 1 was a malicious RedAlert APK observed by Unit 42 analysts. Designed to mimic Israel’s official missile alert app, this payload was distributed via Hebrew-language SMS links. Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti-analysis protections.

May 11
Bleeping Computer

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.

Jan 10
Sentinelone Labs

Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development | SentinelOne

We identified significant overlap in the encryption implementation observed in the “RedAlert” ransomware, a Linux locker variant targeting VMware ESXi servers, suggesting that both variants were developed by the same group of individuals.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.