Skip to content

Cicada3301’s ransomware used to target VMware ESXi systems

  • by
  • 2 min read

Threat actors used the Cicada3301 ransomware’s Linux encryptor to target companies’ VMware ESXi systems globally. As of now, the legitimate ransomware-as-a-service (RaaS) operation lists 23 victims on its extortion portal.

The new RaaS operation takes its name from a mysterious organisation that posted sets of puzzles thrice, under the name “3301,” from 2012 to 2014 to recruit the fastest and smartest code breakers worldwide. It began promoting the operation and recruiting on a ransomware and cybercrime forum known as RAMP via a post on June 29, 2024.

The genuine project issued a statement condemning and claiming no association with the ransomware operator’s actions. Cicada3301 offers its recruited affiliates a platform for double extortion, including ransomware and a data leak site. The group published its first leak on the data leak website on June 25, 2024. It uses ransomware written in Windows and Linux/ESXi hosts.

A few groups have been noted to use ESXi ransomware written in Rust. Truesec, who published an analysis of the new malware, said, “One of them is the now defunct Black Cat/ALPHV ransomware-as-a-service group. Analysis of the code has also shown several similarities in the code with the ALPHV ransomware”. The cybersecurity researchers pointed out the overlaps between Cicada3301 and ALPHV/BlackCat, suggesting a potential rebrand or fork developed by previous members of ALPHV‘s core team.

The similarities shared by Cicada3301 and ALPHV ransomware are as follows:

  • They are both written on Rust.
  • They use the ChaCha20 encryption algorithm.
  • Identical VM shutdown and snapshot-wiping commands have been utilised.
  • They share the same user interface command parameters, file naming convention and ransom note decryption method.
  • Both employ intermittent encryption on larger files.

The researchers analyzed the VMware ESXi Linux encryptor of the RaaS operation. Similar to other ransomware families, such as RansomHub, the encryptor requires a special key, in the form of a command-line argument, to be launched. The operation’s actions and probability of success imply that an experienced attacker is responsible for it.

Further indications found by Truesec indicate that Cicada3301 partners with or uses the Brutus botnet to gain initial access to corporate network systems. Brutus is a botnet that was formerly linked to worldwide VPN brute-forcing activities that targeted Cisco, Fortinet, SonicWall, and Palo Alto appliances.

In the News: M4 Mac mini to support 5 USB-C ports, ending USB-A support

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of https 3344700 1280

SSL.com patches abused certificate issue vulnerability

Photo: koshiro k/shutterstock. Com

OpenAI report claims its latest models hallucinate more

What is a hack? 9 different types of hackers you must know about

New RustoBot malware hijacks routers to inject commands

This is an image of wordpress featured 9924

Ad-fraud operation monetises piracy via WordPress plugins

Photo: koshiro k/shutterstock. Com

OpenAI’s o3 model scores lower than initially promised

  • by
  • AI, In News
This is an image of spyware on pc

Russian hosting provider abused for malware delivery

>