Cicada3301 ransomware’s Linux encryptor targets VMware ESXi methods
A brand recent ransomware-as-a-carrier (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, because it immediate attacked companies worldwide.
The recent cybercrime operation is named after the mysterious 2012-2014 online/valid-world game that provocative clarify cryptographic puzzles and worn the the same imprint for promotion on cybercrime forums.
Alternatively, there is now not any connection between the 2, and the genuine project has issued a assertion to resign any affiliation and condemn the ransomware operators’ actions.
The Cicada3301 RaaS first began promoting the operation and recruiting affiliates on June 29, 2024, in a forum put up to the ransomware and cybercrime forum acknowledged as RAMP.
Alternatively, BleepingComputer is attentive to Cicada attacks as early as June 6, indicating that the crowd change into as soon as working independently sooner than making an are trying to recruit affiliates.
Savor other ransomware operations, Cicada3301 conducts double-extortion tactics the assign they breach company networks, retract files, and then encrypt gadgets. The encryption key and threats to leak stolen files are then worn as leverage to apprehension victims into paying a ransom.
The menace actors operate an files leak internet page that is worn as section of their double-extortion device.
An evaluation of the recent malware by Truesec published major overlaps between Cicada3301 and ALPHV/BlackCat, indicating a probable rebrand or a fork created by ragged ALPHV’s core team people.
That is per the truth that:
- Each are written in Rust.
- Each Exercise the ChaCha20 algorithm for encryption.
- Each command the same VM shutdown and snapshot-wiping commands.
- Each employ the the same person interface uncover parameters, the the same file naming convention, and the the same ransom point to decryption components.
- Each employ intermittent encryption on elevated recordsdata.
For context, ALPHV done an exit scam in early March 2024 interesting counterfeit claims about an FBI takedown operation after they stole a huge $22 million price from Replace Healthcare from judicious one of their affiliates.
Truesec has moreover chanced on indications that the Cicada3301 ransomware operation would possibly maybe even companion with or command the Brutus botnet for initial discover admission to to company networks. That botnet change into as soon as beforehand linked to global-scale VPN brute-forcing actions concentrated on Cisco, Fortinet, Palo Alto, and SonicWall appliances.
It’s worth noting that the Brutus project change into as soon as first seen two weeks after ALPHV shut down operations, so the hyperlink between the 2 groups smooth stands by manner of timelines.
But one other menace to VMware ESXi
Cicada3301 is a Rust-essentially based completely mostly ransomware operation with both Residence windows and Linux/VMware ESXi encryptors. As section of Truesec’s represent, the researchers analyzed the VMWare ESXi Linux encryptor for the ransomware operation.
Savor BlackCat and other ransomware families, comparable to RansomHub, a undeniable key need to be entered as a uncover line argument to start the encryptor. This key is worn to decrypt an encrypted JSON blob that comprises the configuration that the encryptor will employ when encrypting a application.
Truesec says that the encryptor tests for the validity of the principle by the employ of it to decrypt the ransom point to and, if winning, continues with the leisure of the encryption operation.
Its main characteristic (linux_enc) uses the ChaCha20 circulate cipher for file encryption and then encrypts the symmetric key worn in the project with an RSA key. The encryption keys are generated randomly the employ of the ‘OsRng’ characteristic.
Cicada3301 targets particular file extensions matching paperwork and media recordsdata and tests their measurement to resolve the assign to follow intermittent encryption (>100MB) and the assign to encrypt the total file contents (<100MB).
When encrypting files, the encryptor will append a random seven-character extension to the file name and create ransom notes named ‘RECOVER-[extension]-DATA.txt,’ as shown below. It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named ‘RECOVER-[extension]-FILES.txt.’
The ransomware’s operators can set a sleep parameter to delay the encryptor’s execution, potentially to evade immediate detection.
A “no_vm_ss” parameter also orders the malware to encrypt VMware ESXi virtual machines without attempting to shut them down first.
However, by default, Cicada3301 first uses ESXi’s ‘esxcli’ and ‘vim-cmd’ commands to shut down virtual machines and delete their snapshots before encrypting data.
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | grep -viE ”,(),” | awk -F ”\”*,\”*” '{system(”esxcli vm process kill –type=force –world-id=”$1)}’ > /dev/null 2>&1;
for i in `vim-cmd vmsvc/getallvms| awk '{print$1}’`;manufacture vim-cmd vmsvc/snapshot.removeall $i & done > /dev/null 2>&1
Cicada3301’s actions and charge of success worth an experienced actor who’s conscious of what they’re doing, additional supporting the hypothesis of an ALPHV reboot or as a minimum the employ of affiliates with prior ransomware ride.
The recent ransomware’s focal point on ESXi environments highlights its strategic kind to maximize peril in enterprise environments that many menace actors now plan for profitable income.
By combining file encryption with the flexibility to disrupt VM operations and pick restoration alternate solutions, Cicada3301 ensures a high-affect attack that is affecting total networks and infrastructures, maximizing the stress placed on victims.