Ransomware attack hits Windows, Linux servers of the Chilean government agency

Chile’s national Computer Security Incident Response Team (CSIRT) has confirmed that a ransomware attack has affected the government agency’s operations and online services in the country.

The attack began on Thursday, 25 August, and targeted the agency’s Microsoft and VMware ESXi servers. The hackers offered the Chilean CSIRT a communication channel through which they could negotiate a ransom payment that would prevent the files from being leaked. The malware used in this attack, according to the CSIRT, also had functions for stealing credentials from web browsers, listing removable devices for encryption, and evading antivirus detection via execution timeouts.

In their announcement, Chile’s CSIRT does not title the ransomware group responsible for the attack, nor does it offer enough information to identify the malware. Since it has been used by multiple threat actors, the extension appended to the encrypted files provides no clue. The very limited information provided by Chile’s CSIRT on the malware’s behaviour points to the ‘RedAlert’ ransomware (aka ‘N13V’). Nevertheless, indicators of compromise (IoCs) in the announcement could be associated with Conti.

According to what Chilean threat analyst Germán Fernández told BleepingComputer, the strain appears to be entirely new, and the researchers he spoke with were unable to associate the malware with known families. Based on what BleepingComputer has learned so far about this ransomware, it is a new operation that began in early August.