Ransomware group Cicada3301: Specialized in ESXi servers
IT researchers have discovered a new ransomware-as-a-service group called Cicada3301. It specializes in ESXi servers.
Cicada3301 is a new ransomware-as-a-service group.
(Image: Screenshot / dmk)
IT security researchers have discovered a new cybergang while investigating an IT incident. Cicada3301 operates as a ransomware-as-a-service group. It currently appears to be specializing in Windows and Linux ESXi servers in particular.
In their analysis, Truesec's IT researchers write that the group first appeared in June 2024. The criminal group operates a ransomware and a data leak site and offers these to affiliates, which they have also been advertising with an invitation in their forum since June 29.
Ransomware securely programmed
The cybergang's ransomware is programmed in Rust and targets Linux and Windows ESXi hosts. Due to this specialization, which previously only a few ransomware gangs could boast, Truesec assumes connections to the now defunct cybergang AlphV/Blackcat – There are also similarities in the code to the AlphV ransomware: Both are written in Rust, both use ChaCha20 for encryption, the commands for shutting down VMs and removing snapshots are almost identical and both use a -ui parameter to output a graphic during encryption. There are also other similarities.
In the specific incident investigated, the intruders used valid log-in data for ScreenConnect for the initial break-in. The criminals' IP address was traced back to a botnet called "Brutus". Brutus is linked to a larger credential stuffing campaign targeting various VPN programs, including ScreenConnect.
As the IP address was discovered only a few hours earlier, IT researchers assume that the access data was not sold in this short period of time, but that there are closer ties. Another observation could again point to links with AlphV: Brutus botnet activity kicked off around two weeks after AlphV disappeared from the scene with a final scam.
IT forensics experts suspect that parts of the AlphV/Blackcat gang regrouped as Cicada3301 and allied themselves with the Brutus botnet or even launched it themselves. At the same time, acting as an Initial Access Broker (IAB) ultimately leads to a more extensive complete offer for potential affiliates.
How the criminal organization obtained the AlphV code is also the subject of further speculation. Either Cicada3301 teamed up with the programmer of the AlphV malware, who has worked for various ransomware groups in the past, the IT forensics experts say. Or they acquired the ransomware in other ways – when AlphV announced the end of the gang, they offered the source code for 5 million US dollars.
It is also important to note that the Cicada3301 ransomware is not as advanced as that of AlphV. Interested parties can then find technical details about the ransomware and a YARA rule for detecting the ransomware in the analysis.
The name of the ransomware group is based on a mysterious online scavenger hunt that took place from 2012 onwards. The puzzle competitions met with greater interest. This resulted in the rather mediocre feature film "Dark Web: Cicada 3301" in 2021.
(dmk)