RedAlert and Monster: Multiplatform ransomware gains steam

In line with the trend for the cross-platform ransomware, Kaspersky has discovered new ransomware gangs that learned to adapt their malware to different operating systems at the same time – and therefore cause damage to more organizations. The recent investigation by Kaspersky experts uncovered the activity of RedAlert and Monster – groups that managed to perform attacks on different operating systems without resorting to multiplatform languages. Additionally, the experts described 1-day exploits that may be executed by ransomware groups in order to achieve their financial ambitions.

During 2022, Kaspersky security researchers have been witnessing the prolific use of cross-platform amenities by the ransomware groups. These days, they’re aiming at damaging as many systems as possible by adapting their malware code to several OS at the time. Kaspersky has already described such groups that used Rust or Golang multiplatform languages – for example, Luna or BlackCat. However, this time the reported ransomware groups deploy malware that is not written in a cross-platform language, but still can target various OS simultaneously.

One group, RedAlert, employs malware written in plain C – as it was detected in Linux sample. However, the malware developed by RedAlert does explicitly support ESXi environments. Moreover, the RedAlert onion website offers a decryptor for download – unfortunately, there’s no extra data available whether it’s written in cross-platform language or not. Another aspect that sets RedAlert apart from other ransomware groups is that they only accept payments in Monero cryptocurrency – making the money harder to trace. Although such an approach might be reasonable from criminals’ point of view, Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom.

Another ransomware group detected in July 2022 is Monster that applies Delphi, a general-purpose programming language to write their malware that, however, expands on different systems. What makes this group especially peculiar is that it has a graphical user interface (GUI) – a component that has never been implemented by ransomware groups before. Moreover, cybercriminals executed ransomware attacks through the command line in an automated way during an ongoing targeted attack. According to the sample extracted by Kaspersky experts, the Monster ransomware authors included the GUI as an optional command line parameter.
Monster performed attacks on users in Singapore, Indonesia, and Bolivia.

The report issued by Kaspersky also covers so-called 1-day exploits used to attack on Windows 7-11. The 1-day exploit usually refers to an exploit of already patched vulnarability, and always raise a question of patching policy within the affected organization. The given example is about the CVE-2022-24521 vulnerability that allows an attacker to gain system privileges on the infected device. It took attackers two weeks after the vulnerability was disclosed in April 2022, to develop the two exploits. Particularly interesting about these exploits is that they support a variety of Windows versions. This usually indicates that the attackers are aiming at commercial organizations. Also, both exploits share many debug messages. One detected case includes attacks on a retail chain in APAC region – however, there’s no extra data on what the cybercriminals were trying to achieve.

“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language. However, these days cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks –making security specialists elaborate on ways to detect and prevent the ransomware attempts. Also, we draw attention to the importance of constant reviewing and updating patch policies that are applied by companies,” comments Jornt van der Wiel, a senior security researcher at Kaspersky’s Global Research and Analysis Team.