Overview
A new type of ransomware, known as double-extortion ransomware, is now targeting VMware ESXi servers, as reported by security researchers. The group responsible for this ransomware, called Cicada3301, has been actively promoting its ransomware-as-a-service operation since June.
How the ransomware operates
Attackers gain access to a corporate network by either brute-forcing or stealing valid credentials. Once inside, they use the ScreenConnect tool to remotely log in and execute the ransomware.
The ransomware begins by shutting down virtual machines (VMs) and deleting any existing snapshots using ESXi’s “esxcli” and “vim-cmd” commands. It then encrypts files using the ChaCha20 cipher and a symmetric key generated by the random number generator “Osrng.” Files smaller than 100 MB are encrypted in full, while larger files undergo intermittent encryption. The ransomware specifically targets file extensions associated with documents and images, such as docx, xslx, and pptx.
Encrypted files receive random seven-character extensions, which correspond to recovery notes stored in the same folder. This technique is also utilized by the RaaS group BlackCat/ALPHV.
The Cicada3301 ransomware provides operators with the ability to customize parameters to evade detection. For instance, the “sleep” parameter can delay encryption, while the “ui” parameter offers real-time information on the encryption progress.
After completing encryption, the ChaCha20 symmetric key is further encrypted with an RSA key. This encrypted key is crucial for decrypting recovery instructions, which are only provided to victims upon payment.
In addition to encryption, attackers may threaten to leak victim data on the Cicada3301 leak site to apply further pressure for ransom payment.
Cyber attackers impersonating a legitimate organization
The ransomware group Cicada3301 is masquerading as a genuine organization with the same name, known for conducting cryptography games. Despite using the organization’s logo and branding, there is no actual connection between the two entities.
Researchers have identified similarities between Cicada3301 and ALPHV/BlackCat, suggesting a potential connection. It is speculated that Cicada3301 could be a rebrand or spin-off of ALPHV/BlackCat, or possibly a new group that acquired the source code from the former.
Moreover, the involvement of the Brutus botnet, previously associated with ALPHV/BlackCat, further links Cicada3301 to these cybercriminal activities.
VMware ESXi as a prime target for ransomware
Cicada3310 ransomware is designed to target both Windows and Linux/VMware ESXi hosts. VMware ESXi serves as a bare-metal hypervisor, facilitating the creation and management of virtual machines directly on server hardware, including critical servers.
Recent cyberattacks have increasingly focused on the ESXi environment, prompting VMware to release patches to address emerging vulnerabilities. Compromising the hypervisor can have severe consequences, as attackers can disable multiple virtual machines simultaneously and eliminate recovery options like snapshots or backups, significantly impacting business operations.
These attacks underscore cybercriminals’ interest in causing substantial harm to corporate networks for financial gain.
No Comment! Be the first one.