There is a new ransomware group that appears to be specifically targeting VMware ESXi hypervisors.
Cybersecurity researchers at Truesec have recently issued a warning about a threat actor named Cicada3301, who appears to be operating a ransomware encryptor of the same name.
The group appears to have taken its name from the online crypto puzzle game that was popular about a decade ago, but other than that, there doesn't seem to be any connection between the two.
SLOW#STORM
Truesec claims that Cicada3301 has two encryptors, one for Windows devices and one for VMware ESXi. So far, the hackers have managed to compromise 19 victims, according to information on their data leak site. Computer beeping information.
The same source also claims that Cicada3301 likely started operations in the first week of June this year and began recruiting its own affiliates at the end of the same month. He also claims that the decision to target ESXi environments means that the group is trying to “maximize damage in enterprise environments” as companies generally pay better.
Analyzing the cryptor further, researchers found many matches between Cicada3301 and ALPHV/BlackCat, suggesting that it is either the same entity, just under a new name, or a fork created by affiliates. Those with a longer memory will remember BlackCat, an infamous ransomware-as-a-service (RaaS) that supposedly “took the money and ran” after a successful attack on Change Healthcare.
In late February and early March of this year, healthcare giant Change Healthcare was targeted by an ALPHV affiliate. The company allegedly paid $22 million in cryptocurrency in exchange for the decryptor and its data. However, the money never reached the affiliates that did the work. Instead, the RaaS operators took everything and simply disappeared. They shut down the entire infrastructure, removed everything, and vanished into thin air.
The affiliate that breached Change Healthcare and was left with a sizable file on the company later changed its name to RansomHub and has since committed several successful breaches.