RedAlert
RedAlert is Linux ransomware that targets VMware ESXi servers.
Profile source: Ransomware.live opens in a new tabRedAlert
Family profile
RedAlert is Linux ransomware that targets VMware ESXi servers. Reporting notes code overlap with PolyVice and adoption by Vice Society. This profile excludes the unrelated Android malware distributed as a fake emergency-alert application.
Ransomware.live
Operational record
Reporting
Research mentioning RedAlert
Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware
Vice Society ... has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis
"One of the most technically significant artifacts of March 1 was a malicious RedAlert APK ... Designed to mimic Israel’s official missile alert app ... Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti-analysis protections"
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis
One of the most technically significant artifacts of March 1 was a malicious RedAlert APK observed by Unit 42 analysts. Designed to mimic Israel’s official missile alert app, this payload was distributed via Hebrew-language SMS links. Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti-analysis protections.
Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers
Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development | SentinelOne
We identified significant overlap in the encryption implementation observed in the “RedAlert” ransomware, a Linux locker variant targeting VMware ESXi servers, suggesting that both variants were developed by the same group of individuals.