Cicada3301: New RaaS Gang Emerges, Targets VMware ESXi

Truesec specialists have revealed the emergence of a new cybercriminal group, Cicada3301, which, operating under the RaaS model, has already targeted 19 victims worldwide, leaving cybersecurity researchers perplexed.

The name Cicada3301 is borrowed from the renowned online puzzle game of 2012-2014, known for its intricate cryptographic challenges. However, the original project is in no way connected to the new cybercriminal group and strongly condemns their actions.

Cicada3301’s cyberattacks were first detected on June 6, although the official announcement of the operation was made only on June 29 on the RAMP forum. This suggests that the group operated independently before enlisting partners.

Like other ransomware operations, Cicada3301 employs a double extortion tactic. Initially, the attackers infiltrate corporate networks, steal data, and then encrypt the devices. The encryption keys and threats of data leakage are used as leverage to pressure victims into paying a ransom.

Truesec has identified significant similarities between Cicada3301 and ALPHV/BlackCat. Experts speculate that Cicada3301 could be a rebranded version of ALPHV or a derivative, created by former members of the group. Both ransomware programs are written in Rust, use the ChaCha20 algorithm for encryption, and employ identical commands to disable virtual machines and delete snapshots, as well as a common filename format for recovery instructions.

Cicada3301 utilized compromised credentials for the initial attack, executed via the remote access software ScreenConnect. Truesec also discovered that the IP address used in the attack is linked to the Brutus botnet, previously observed in large-scale attacks on VPN devices such as Cisco, Fortinet, Palo Alto, and SonicWall. The timeline of Brutus’s activity coincides with the cessation of ALPHV’s operations, further reinforcing the connection between the two groups.

Cicada3301 places particular emphasis on attacking VMware ESXi environments, as evidenced by the analysis of a Linux/VMware ESXi ransomware variant that requires a special key to initiate the operation. The primary function of the ransomware employs the ChaCha20 stream cipher to encrypt files, followed by encrypting the symmetric key with RSA. The attackers target files with specific extensions, using intermediate encryption for larger files.

Cicada3301 also employs methods that complicate data recovery after an attack. For instance, the ransomware can encrypt VMware ESXi virtual machines without first shutting them down, making the recovery process more challenging.

Cicada3301 may be a reincarnation of the BlackCat group or the result of their collaboration with the Brutus botnet to gain access to victims. Another theory suggests that the ALPHV code was acquired and adapted by other cybercriminals, as BlackCat had previously announced the sale of its ransomware source code for $5 million.

All evidence points to Cicada3301 being operated by seasoned cybercriminals who are well-versed in their craft. Their successful attacks on companies and the severe damage they inflict on corporate networks indicate that this group poses a significant threat to businesses. Cicada3301’s focus on VMware ESXi environments underscores their strategic approach to maximizing damage and profiting from ransom payments.