Security researchers have identified a new double extortion ransomware group called Cicada3301 [2], written in Rust and targeting Windows and Linux/ESXi hosts [3].
Description
This ransomware utilizes ChaCha20 encryption and specifically targets VMware ESXi environments to disrupt virtual machines, delete snapshots [2], and encrypt data [2]. Cicada3301 is believed to be connected to the ALPHV/BlackCat variant and may leverage the Brutus botnet for initial access to corporate networks. Truesec researchers have found similarities between Cicada3301 and the now-defunct ALPHV group [3], both using Rust and ChaCha20 encryption [3]. The ransomware supports configurable parameters for flexibility in operations [3], including delaying execution and displaying encryption progress [3]. Cicada3301 generates a symmetric key for encryption and targets specific file extensions [3]. The group employs double-extortion tactics to pressure victims into paying a ransom. The original creators of the Cicada3301 game have distanced themselves from this new Ransomware-as-a-Service (RaaS) group [2]. Additionally, Cicada3301 has been linked to the BlackCat/ALPHV group, which was involved in an exit scam in March 2024 after receiving a $22m ransom from Change Healthcare. Organizations using VMware ESXi environments should be vigilant and implement robust security measures to defend against this serious threat [1].
Conclusion
Organizations must take immediate action to protect their systems from the Cicada3301 ransomware group. Implementing strong security measures [1], regularly updating software, and educating employees on cybersecurity best practices are essential steps to mitigate the risks posed by this sophisticated threat. The implications of falling victim to Cicada3301 can be severe, both financially and operationally. It is crucial for businesses to stay informed about emerging threats and proactively strengthen their defenses to safeguard against potential attacks.
References
[1] https://cybourn.com/the-cybersecurity-express-2-september-2024
[2] https://www.infosecurity-magazine.com/news/cicada3301-ransomware-group-alphv/
[3] https://securityaffairs.com/167897/cyber-crime/a-new-variant-of-cicada-ransomware-targets-vmware-esxi-systems.html