There is a new ransomware group out there, and it seems to be specifically targeting VMware’s ESXi hypervisors.
Cybersecurity researchers from Truesec have recently issued a warning about a threat actor called Cicada3301, which seems to be operating a ransomware encryptor of the same name.
The group looks to have picked up the name from the online cryptographic puzzle game that was popular roughly a decade ago, but other than that, there seems to be no connection between the two.
SLOW#TEMPEST
Truesec says that Cicada3301 has two encryptors, one for Windows devices, and another one for VMware ESXi. So far, the hackers successfully compromised 19 victims, as per the information on its data leak site, BleepingComputer reports.
The same source also states that Cicada3301 most likely kicked off its operations in the first week of June this year, and started recruiting affiliates of its own, at the end of the same month. It also argues that the decision to target ESXi environments means the group is out to “maximize damage in enterprise environments,” since enterprises usually pay better.
Further analyzing the encryptor, the researchers found plenty of overlap between Cicada3301 and ALPHV/BlackCat, suggesting that it’s either the same entity, just rebranded, or a fork built by affiliates. Those with longer memory will remember BlackCat, an infamous Ransomware-as-a-Service (RaaS) which allegedly “took the money and ran” after a successful attack on Change Healthcare.
In late February and early March this year, healthcare giant Change Healthcare was targeted by an ALPHV affiliate. The company allegedly paid $22 million in cryptocurrency, in exchange for the decryptor and its data. However, the money never made it to the affiliates who did the work. Instead, the RaaS operators took all of it and simply disappeared. They shut down the entire infrastructure, pulled everything and vanished into thin air.
The affiliate that breached Change Healthcare and was left holding a sizeable company archive, later rebranded as RansomHub and has since made a number of successful breaches.