Cicada3301, a new ransomware organization, has surfaced and is using advanced encryption techniques to target Linux/ESXi and Windows hosts. The gang was first noticed in June 2024 and has since been well-known for naming several victims on their data leak website.
Cicada3301 ESXi ransomware was developed in Rust, and only a small number of known groups have employed ESXi ransomware written in Rust. Among those groups is the now-defunct ransomware-as-a-service group Black Cat/ALPHV.
Using valid login credentials that were either stolen or discovered by brute force, the threat actor used ScreenConnect to initiate the attack.
Ransomware-as-a-Service Platform
Similar to a classic ransomware-as-a-service (RaaS) platform, Cicada3301 gives its affiliates the ability to extort customers by encrypting their data and threatening to release it unless a ransom is paid.
Tuesec claims that the gang targets Linux/ESXi and Windows computers with ransomware written in Rust, a language renowned for its performance and security qualities.
The ransomware, specifically version 1.79.0, is an ELF program that was compiled using Rust. By looking at the binary’s.comment section and string references to Cargo, Rust’s build system, the usage of Rust is confirmed.
The ransomware uses the ChaCha20 encryption technique, which is consistent with other malware such as ALPHV, hinting at significant code similarities or common developers.
The primary purpose of the ransomware, linux_enc, is to encrypt data on Linux/ESXi computers. In order to alter how it operates, it takes in multiple parameters:
- UI Parameter: Offers a graphical output with statistics and encryption progress.
- No_VM_SS Parameter: Uses ESXi commands to erase snapshots and encrypt files without stopping virtual machines.
- Key Parameter: Required for operation; the ransomware cannot run in the absence of a working key.
The ransomware encrypts files using ChaCha20, creates a symmetric key using the OsRng random number generator, and then encrypts the ChaCha20 key with RSA for safekeeping. The ransomware note, named according to the convention “RECOVER-[extension]-DATA.txt,” is created in the directory of each locked file.
The primary attack vector of Cicada3301 is gaining access to systems using programs like ScreenConnect by utilizing legitimate credentials, which are frequently acquired by theft or brute force attacks.
The IP address connected to these operations is part of the Brutus botnet, which is well known for its attempts to guess passwords. Given this relationship, there’s a chance Cicada3301 is essentially a renamed BlackCat/ALPHV group, or at least uses some of the same developers or resources.
Cicada3301’s strong encryption methods and capacity to attack numerous OS systems make it a serious threat. To reduce the danger of ransomware attacks, organizations should strengthen their cybersecurity measures, which include frequent data backups, network segmentation, and personnel training.
Also read: DORA (Digital Operational Resilience Act) Batch 2 Changes and Expectations from BFSI sector
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.