Cyber Threat Actor: RedAlert
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
The RedAlert ransomware group, also operating under the aliases N13V and RedAlert, has conducted disruptive cyber operations targeting government entities in Latin America. This threat actor employs double extortion tactics, encrypting victim files while threatening to leak stolen data unless ransom demands are met. Their activities have impacted critical public services, as demonstrated in an August 2022 attack against Chile's National Consumer Service (Sernac), where they encrypted files on Windows and VMware ESXi servers, appending the .crypt extension to compromised data. The group maintains a Tor-based leak site to pressure victims, though they did not explicitly list Sernac there following the attack.
RedAlert's operations focus on government sector targets, with Chile representing their most prominently documented campaign. The Sernac incident disrupted consumer protection services and forced operational shutdowns while authorities investigated. Technical evidence from this attack reveals their preference for targeting virtualized environments through ESXi server compromises. While their financial motivations are evident through ransom demands, the group's operational security practices include withholding victim listings on their leak site despite confirmed breaches. Chilean cybersecurity officials publicly shared indicators of compromise from the Sernac intrusion, providing visibility into RedAlert's attack patterns without disclosing initial access vectors. The group's ransomware represents a continuing threat to governmental digital infrastructure in the region through data encryption and systemic disruption.
