VMware ESXi servers targeted by new ransomware variant


Security researchers have discovered a new double-extortion ransomware variant targeting VMware ESXi servers. The group responsible, called Cicada3301, has been promoting its ransomware-as-a-service operation since June.

Once an attacker gains initial access to a corporate network, they can copy and encrypt private data using the Cicada3301 ransomware. They can then withhold the decryption key and threaten to expose the data on Cicada3310’s dedicated leak site to force the victim to pay a ransom.

According to Morphisec, the Cicada3301 leak site has recorded at least 20 victims, mostly in North America and England. The companies were of all sizes and belonged to a variety of sectors, including manufacturing, healthcare, retail and hospitality.

Swedish security firm Truesec first became aware of the group when it posted a message on the RAMP cybercrime forum on June 29 in an attempt to recruit new members. However, BleepingComputer claims it had already become aware of Cicada attacks on June 6.

How ransomware works

Attackers gain access through brute force or by stealing valid credentials and logging in remotely via ScreenConnect and executing the ransomware.

First, the ESXi “esxcli” and “vim-cmd” commands are executed to shut down the virtual machines and delete the snapshots. The ransomware then uses ChaCha20 encryption and a symmetric key generated with the “Osrng” random number generator to encrypt the files.

All files smaller than 100 MB are encrypted in full, while larger files are subject to intermittent encryption. The encryption feature targets certain file extensions associated with documents and images, such as docx, xslx, and pptx. Truesec researchers say this indicates the ransomware was originally used to encrypt Windows systems before being moved to ESXi hosts.

Random seven-character extensions are appended to the names of encrypted files, which are then used to indicate their respective recovery notes, stored in the same folder. This is also a technique used by the leading RaaS group BlackCat/ALPHV.

The Cicada3301 ransomware allows the operator to run a number of custom parameters that could help it evade detection. For example, “sleep” delays encryption by a defined number of seconds, and “ui” provides real-time data about the encryption process, such as the number of encrypted files.

Once encryption is complete, the ChaCha20 symmetric key is encrypted with an RSA key. This is needed to decrypt the recovery instructions and can be handed over by threat actors after payment is made.

The attacker can also exfiltrate the victim's data and threaten to publish it on the Cicada3301 leak site to gain more leverage.

SEE: Massive ransomware operation attacks VMware ESXi: How to protect yourself from this security threat

Cyber ​​attackers posing as real organizations

The ransomware group is posing as a legitimate organization called “Cicada 3301,” which is responsible for a popular crypto gaming series. There is no connection between the two, even though the threat actors have stolen their logo and branding.

SEE: Ransomware Cheat Sheet for 2024

The Cicada 3301 puzzle project has released a statement distancing itself from the RaaS group, saying: “We do not know the identity of the criminals behind these heinous crimes and are not associated with these groups in any way.”

There are several similarities between Cicada3301 and ALPHV/BlackCat that led researchers to believe they are connected. ALPHV/BlackCat's servers went down in March, so it would be feasible that the new group represents a rebranding or a split initiated by some of its core members.

Cicada3301 could also be formed by a different group of attackers who simply purchased the ALPHV/BlackCat source code after it stopped working.

In addition to ALPHV/BlackCat, the Cicada3301 ransomware has been connected to a botnet called “Brutus.” The IP address of a device used to log into a victim’s network via ScreenConnect is linked to “a broad password guessing campaign for various VPN solutions” by Brutus, Truesec claims.

Cicada3310 could be a new brand or a spin-off of ALPHV/BlackCat

ALPHV/BlackCat ceased operations after a carelessly executed cyberattack against Change Healthcare in February. The group failed to pay an affiliate their share of the $22 million ransom, so the affiliate exposed them, leading ALPHV to fake a police raid and shut down its servers.

SEE: BlackCat/ALPHV ransomware site seized in international takedown effort

Cicada3301 could represent a new brand of ALPHV/BlackCat or a spin-off group. There are also several similarities between their ransomware, for example:

  • Both are written in Rust.
  • Both use the ChaCha20 algorithm for encryption.
  • Both use identical VM shutdown and snapshot deletion commands.
  • Both use the same UI command parameters, the same file naming convention, and the same ransom note decryption method.
  • Both use intermittent encryption on larger files.

Furthermore, the brute-force activities of the Brutus botnet, which has now been linked to Cicada3310, were first detected just two weeks after ALPHV/BlackCat shut down its servers in March.

VMware ESXi is becoming a popular ransomware target

Truesec claimed that the Cicada 3310 ransomware is used on both Windows and Linux/VMware ESXi hosts. VMware ESXi is a hardware hypervisor that allows the creation and management of virtual machines directly on server hardware, which can include critical servers.

The ESXi environment has become the target of many cyberattacks lately, and VMware has been frantically providing patches as new vulnerabilities emerge. Compromising the hypervisor can allow attackers to disable multiple virtual machines simultaneously and remove recovery options such as snapshots or backups, ensuring a significant impact on a company’s operations.

This approach highlights cyber attackers' interest in the enormous profit they can make by inflicting maximum damage on corporate networks.

scroll to top