Security researchers have revealed that a new type of double-extortion ransomware is targeting VMware ESXi servers. Cicada3301, the group responsible for this ransomware-as-a-service operation, has been actively promoting their malicious activities since June.
Upon gaining initial access to a corporate network, attackers can use the Cicada3301 ransomware to copy and encrypt sensitive data. They can then hold the decryption key ransom and threaten to expose the data on Cicada3310’s dedicated leak site unless the victim pays the demanded ransom.
According to information from Morphisec, Cicada3301’s leak site has revealed around 20 victims, primarily located in North America and England. These victims come from diverse industries like manufacturing, healthcare, retail, and hospitality.
Initially, the Swedish security firm Truesec noticed the group when it posted recruitment messages on the cybercrime forum RAMP on June 29. However, as per BleepingComputer, Cicada attacks had been identified as early as June 6.
How the ransomware operates
To gain unauthorized access, attackers either use brute-force techniques or steal genuine credentials to remotely log in via ScreenConnect and deploy the ransomware.
The ransomware first triggers the “esxcli” and “vim-cmd” commands in ESXi to shut down virtual machines and delete any existing snapshots. Subsequently, it employs the ChaCha20 encryption algorithm with a symmetric key generated by the “Osrng” random number generator to encrypt files.
While smaller files under 100 MB get encrypted entirely, larger ones are subject to intermittent encryption. The encryption process mainly focuses on file extensions related to documents and images such as docx, xslx, and pptx. Analysts at Truesec suggest this indicates that the ransomware was initially designed for Windows systems and later adapted for ESXi environments.
The encrypted filenames receive random seven-character extensions that correspond to their respective recovery notes placed within the same directory. This method mirrors the technique used by the prominent RaaS group BlackCat/ALPHV.
Cicada3301 ransomware allows the operator to enable various custom parameters to evade detection. For example, the “sleep” command introduces a delay in the encryption process by a specified number of seconds, while “ui” provides real-time information about the encryption progress like the count of encrypted files.
Upon completion of encryption, the ChaCha20 symmetric key is itself encrypted using an RSA key. This step serves to decrypt the recovery instructions, which the threat actors can provide once the ransom is paid.
Moreover, apart from encryption, the attacker can also extract the victim’s data and threaten to leak it on the Cicada3301 leak site for additional leverage.
VIEW: Comprehensive guidelines to shield against this security threat targeting VMware ESXi
Impersonation of genuine organizations by cyber attackers
The ransomware group is masquerading as a legitimate entity named “Cicada 3301,” which is known for running a notable series of cryptography challenges. Despite the similarity in names, there is no actual association between the two, as the threat actors have merely appropriated the logo and branding of the legitimate organization.
VIEW: Comprehensive guide to Ransomware for 2024
The official Cicada 3301 puzzle project has released a statement, distancing themselves from the RaaS group, stating: “We are unaware of the culprits behind these reprehensible actions and have no affiliation with these groups in any way.”
Several similarities between Cicada3301 and ALPHV/BlackCat have led researchers to speculate a potential connection between them. ALPHV/BlackCat’s servers were shut down in March, making it plausible for the new group to be a rebrand or a spin-off formed by some of its core members.
Alternatively, Cicada3301 could be a distinct group of attackers who purchased the source code of ALPHV/BlackCat after its cessation of operations.
Additionally, besides ALPHV/BlackCat, the Cicada3301 ransomware has been linked to a botnet named “Brutus.” Truesec indicates that the IP address of a device used for accessing a victim’s network via ScreenConnect is associated with “a widespread campaign of engaging different VPN solutions” by Brutus.
Potential rebrand or offshoot of ALPHV/BlackCat
ALPHV/BlackCat ended their operations following a poorly executed cyber attack on Change Healthcare in February. When the group failed to pay a percentage of the $22 million ransom to an affiliate, resulting in the affiliate exposing them, ALPHV staged a fake law enforcement seizure and shut down their servers.
VIEW: BlackCat/ALPHV Ransomware Site Seized in International Crackdown
It is possible that Cicada3301 is a rebrand or offshoot of ALPHV/BlackCat. Noteworthy similarities exist in their ransomware operations, including being coded in Rust, utilizing the ChaCha20 encryption algorithm, executing similar VM shutdown and snapshot deletion commands, employing identical user interface parameters, file naming conventions, and ransom note decryption processes, as well as applying intermittent encryption on larger files.
Furthermore, just two weeks after ALPHV/BlackCat closed their servers in March, initial indications of brute-forcing activities from the Brutus botnet, now associated with Cicada3310, were observed.
Increasing trend in targeting VMware ESXi with Ransomware
Truesec mentioned that the Cicada3310 ransomware is utilized on both Windows and Linux/VMware ESXi systems. VMware ESXi, a bare-metal hypervisor, facilitates the direct management and creation of virtual machines on server hardware, potentially including crucial servers.
Recently, the ESXi platform has witnessed a surge in numerous cyberattacks, leading VMware to swiftly release patches as new vulnerabilities surface. Compromising the hypervisor can allow attackers to simultaneously disable multiple virtual machines and eliminate recovery options like snapshots or backups, severely impacting a business’s operations.
This growing focus on VMware ESXi underscores cyber attackers’ attraction towards the potential lucrative returns from inflicting substantial damage on corporate networks.
About Author
