A newly emerged ransomware-as-a-service (RaaS) operation, known as Cicada3301, has quickly gained attention in the cyber security community. With 19 victims already listed on its extortion portal, this cybercrime group has launched a series of aggressive attacks on organisations worldwide.
Background on Cicada3301
The Cicada3301 name references the enigmatic online puzzle game that gained notoriety between 2012 and 2014. The ransomware group has co-opted the game's logo for its promotions on cybercrime forums, but the original game's creators have publicly disavowed any connection to the criminal activity and condemned the misuse of their imagery.
Cicada3301 began promoting its RaaS operation on June 29, 2024, through a post on the RAMP cybercrime forum. However, reports suggest that the group had been conducting attacks independently as early as June 6, 2024, before seeking to expand its operations by recruiting affiliates.
Tactics and Techniques
Cicada3301 employs double-extortion tactics—a common strategy in ransomware attacks. The group infiltrates corporate networks, exfiltrates sensitive data, and then encrypts critical systems. Victims are pressured into paying a ransom not only to recover their data but also to prevent the public release of the stolen information. The group operates a dedicated data leak site to further intimidate victims into complying with their demands.
An analysis by cyber security firm Truesec has revealed striking similarities between Cicada3301 and the notorious ALPHV/BlackCat ransomware, suggesting a possible rebranding or evolution by former ALPHV members. Key overlaps include:
• Both are written in the Rust programming language.
• Both utilise the ChaCha20 encryption algorithm.
• Both employ the same commands for shutting down virtual machines (VMs) and wiping snapshots.
• Both share the same file-naming conventions, user interface command parameters, and ransom note decryption methods.
• Both use intermittent encryption for large files.
ALPHV was involved in an exit scam in March 2024, where the group falsely claimed an FBI takedown to cover up a $22 million heist from Change Healthcare. The timeline and technical overlaps raise the possibility that Cicada3301 could be a continuation of ALPHV's operations under a new name.
Connection to Brutus Botnet
Truesec's investigation also indicates that Cicada3301 may be leveraging the Brutus botnet to gain initial access to corporate networks. This botnet, previously linked to large-scale VPN brute-forcing campaigns targeting Cisco, Fortinet, Palo Alto, and SonicWall devices, was first detected two weeks after ALPHV ceased operations, further hinting at a connection between the two groups.
Targeting VMware ESXi
Cicada3301 has developed specialised ransomware encryptors for both Windows and Linux/VMware ESXi environments. The group's focus on VMware ESXi systems is particularly concerning, given the critical role these systems play in enterprise environments.
The ransomware encryptor for ESXi follows a methodical approach to maximise disruption:
• A unique key must be entered as a command line argument to initiate the encryption process, ensuring that only authorised operators can deploy the malware.
• The primary encryption function uses the ChaCha20 stream cipher, with the encryption keys generated using the 'OsRng' function.
• Files are encrypted based on their size: smaller files are fully encrypted, while larger files undergo intermittent encryption to balance speed and effectiveness.
• The encryptor appends a random seven-character extension to encrypted files and creates ransom notes named 'RECOVER-[extension]-DATA.txt.'
To avoid detection, Cicada3301 can delay the execution of the encryptor using a sleep parameter. The malware also includes a "no_vm_ss" parameter, which orders the encryption of VMware ESXi virtual machines without attempting to shut them down. However, by default, the malware first uses ESXi's 'esxcli' and 'vim-cmd' commands to shut down VMs and delete their snapshots, ensuring that recovery options are minimised before the encryption process begins.
To Sum Up
Cicada3301's rapid success and sophisticated tactics indicate that the group is led by experienced operators, possibly with roots in the ALPHV/BlackCat organisation. Their ability to target VMware ESXi systems with precision underscores a strategic intent to cause maximum disruption and leverage this chaos for financial gain.
As ransomware continues to evolve, organisations must remain vigilant, implementing robust security measures to protect against these increasingly sophisticated threats. The focus on ESXi environments highlights the need for comprehensive defences that extend beyond traditional endpoints to cover all aspects of an organisation's IT infrastructure.
