VMware ESXi Servers Targeted by New Ransomware Variant

A new double-extortion ransomware variant targets VMware ESXi servers, security researchers have found. The group behind it, named Cicada3301, has been promoting its ransomware-as-a-service operation since June.

Once an attacker has initial access to a corporate network, they can copy and encrypt its private data using the Cicada3301 ransomware. They can then withhold the decryption key and threaten to expose the data on Cicada3310’s dedicated leak site to force the victim into paying a ransom.

Cicada3301’s leak site has listed at least 20 victims, predominantly in North America and England, according to Morphisec. Businesses were of all sizes and came from a number of industries, including manufacturing, healthcare, retail, and hospitality.

Sweden-based security company Truesec first became aware of the group when it posted on the cybercrime forum RAMP on June 29 in an attempt to recruit some new affiliates. However, BleepingComputer says it has been made aware of Cicada attacks as early as June 6.

How the ransomware works

Attackers gain entry by brute-forcing or stealing valid credentials and logging in remotely via ScreenConnect and executing the ransomware.

ESXi’s “esxcli” and “vim-cmd” commands are first executed to shut down VMs and delete any snapshots. The ransomware then uses the ChaCha20 cipher and a symmetric key generated using the random number generator “Osrng” to encrypt the files.

All files under 100 MB are encrypted in their entirety, while intermittent encryption is applied to larger ones. The encryption function targets certain file extensions associated with documents and pictures, including docx, xslx, and pptx. The Truesec researchers say this indicates that the ransomware was originally used to encrypt Windows systems before being ported for ESXi hosts.

Random seven-character extensions are added to the encrypted file names that are then used to denote their respective recovery notes, stored in the same folder. This is also a technique used by leading RaaS group BlackCat/ALPHV.

Cicada3301 ransomware allows for the operator to execute a number of custom parameters that could assist them in evading detection. For example, “sleep” delays the encryption by a defined number of seconds, and “ui” provides real-time data about the encryption process, such as the number of files encrypted.

When the encryption is complete, the ChaCha20 symmetric key is encrypted with an RSA key. This is needed to decrypt the recovery instructions, and the threat actors can hand it over once payment has been made.

The attacker can also exfiltrate the victim’s data and threaten to post it on the Cicada3301 leak site for additional leverage.

SEE: Massive ransomware operation targets VMware ESXi: How to protect from this security threat

Cyber attackers impersonating real organisation

The ransomware group is impersonating a legitimate organisation named “Cicada 3301,” responsible for a famous series of cryptography games. There is no connection between the two, despite the threat actors having stolen its logo and branding.

SEE: Ransomware Cheat Sheet for 2024

The Cicada 3301 puzzle project has released a statement distancing itself from the RaaS group, saying: “We do not know the identity of the criminals behind these heinous crimes, and are not associated with these groups in any way.”

There are a number of similarities between Cicada3301 and ALPHV/BlackCat that led researchers to believe they are connected. ALPHV/BlackCat’s servers went down in March, so it would be viable for the new group to represent either a rebrand or a spin-off initiated by some of its core members.

Cicada3301 could also consist of a different group of attackers who simply bought the ALPHV/BlackCat source code after it ceased operation.

As well as ALPHV/BlackCat, the Cicada3301 ransomware has been connected to a botnet named “Brutus.” The IP address of a device to log into a victim’s network via ScreenConnect is linked to “a broad campaign of password guessing various VPN solutions” by Brutus, Truesec says.

Cicada3310 could be a rebrand or spin-off of ALPHV/BlackCat

ALPHV/BlackCat ceased operations after a sloppily executed cyber attack against Change Healthcare in February. The group did not pay an affiliate their percentage of the $22 million ransom, so the affiliate exposed them, prompting ALPHV to fake a law enforcement takeover and turn off their servers.

SEE: BlackCat/ALPHV Ransomware Site Seized in International Takedown Effort

Cicada3301 could represent an ALPHV/BlackCat rebrand or off-shoot group. There are also a number of similarities between their ransomware, for example:

• Both are written in Rust.
• Both use the ChaCha20 algorithm for encryption.
• Both employ identical VM shutdown and snapshot-wiping commands.
• Both use the same user interface command parameters, the same file naming convention, and the same ransom note decryption method.
• Both use intermittent encryption on larger files.

Furthermore, brute-forcing activities from the Brutus botnet, which has now been linked to Cicada3310, were first spotted just two weeks after ALPHV/BlackCat shut down its servers in March.

VMware ESXi is becoming a popular ransomware target

Truesec said the Cicada 3310 ransomware is used on both Windows and Linux/VMware ESXi hosts. VMware ESXi is a bare-metal hypervisor that enables the creation and management of virtual machines directly on server hardware, which may include critical servers.

The ESXi environment has become the target of many cyberattacks of late, and VMware has been frantically providing patches as new vulnerabilities emerge. Compromising the hypervisor can allow attackers to disable multiple virtual machines simultaneously and remove recovery options such as snapshots or backups, ensuring significant impact on a business’s operations.

Such focus highlights cyberattackers’ interest in the huge payday available from executing maximum damage on corporate networks.