A new ransomware group, Cicada3301, has emerged, targeting Windows and Linux/ESXi hosts with sophisticated encryption techniques. First observed in June 2024, the group has quickly gained popularity by listing multiple victims on their data leak site.
Rust was used to create Cicada3301 ESXi ransomware, and only a few known groups have utilized ESXi ransomware written in this programming language. The now-defunct Black Cat/ALPHV ransomware-as-a-service group is one of those groups.
The attack began with the threat actor using legitimate login credentials, which were either stolen or obtained through brute force, to gain access via ScreenConnect.
Ransomware-as-a-Service Platform
Cicada3301 operates as a traditional ransomware-as-a-service (RaaS) platform, offering affiliates tools for double extortion—encrypting data and threatening to leak it unless a ransom is paid.
According to Tuesec, the group uses ransomware written in Rust, a language known for its performance and security features, to target both Windows and Linux/ESXi systems.
The ransomware is an ELF binary compiled with Rust, specifically version 1.79.0. The use of Rust is confirmed by examining the binary’s .comment section and string references to Rust’s build system, Cargo.
The ransomware employs the ChaCha20 encryption algorithm, a choice that aligns with previous ransomware like ALPHV, suggesting possible code similarities or shared developers between the two.
Functionality and Parameters
The ransomware’s main function, linux_enc, is designed to encrypt data on Linux/ESXi systems. It accepts several parameters to customize its operation:
- UI Parameter: Provides a graphical output showing encryption progress and statistics.
- No_VM_SS Parameter: Encrypts files without shutting down virtual machines, using ESXi commands to delete snapshots.
- Key Parameter: Essential for operation; without a valid key, the ransomware will not execute.
The ransomware generates a symmetric key using the OsRng random number generator, encrypts files with ChaCha20, and then encrypts the ChaCha20 key with RSA for secure storage. The ransomware note is created in each encrypted file’s directory, named using the convention “RECOVER-[extension]-DATA.txt”.
Cicada3301’s initial attack vector involves using valid credentials, often obtained through brute force or theft, to access systems via tools like ScreenConnect.
The IP address linked to these activities is associated with the Brutus botnet, known for its password-guessing campaigns. This connection raises the possibility that Cicada3301 may be a rebranded version of the defunct BlackCat/ALPHV group, or at least shares some of its resources or developers.
Cicada3301 represents a significant threat due to its advanced encryption techniques and the ability to target multiple operating systems. Organizations are advised to bolster their cybersecurity measures, including regular data backups, network segmentation, and employee training to mitigate the risk of ransomware attacks.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial