Description
Cicada3301 is a new ransomware group that targets Windows and Linux systems, especially VMware ESXi environments. They use double-extortion tactics, stealing data and encrypting devices to pressure victims into paying a ransom.
Details
Cicada3301 ransomware began promoting its operations on the RAMP cybercrime forum on June 29, 2024, but attacks were traced back to June 6, indicating initial independent operations. Written in Rust, the ransomware uses ChaCha20 and RSA encryption and has both Windows and Linux/VMware ESXi encryptors. In VMware environments, it shuts down VMs and deletes snapshots before encryption to limit recovery options. It appends a random seven-character extension to files and creates ransom notes named “RECOVER-[extension]-DATA.txt.” similarities between Cicada3301 and ALPHV/BlackCat ransomware were seen, suggesting a possible rebranding or collaboration. There is also evidence linking Cicada3301 to the Brutus botnet for network access.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators of compromise:
Remediation
To mitigate the risk posed by these attacks:
Immediate Actions:
Recovery and Mitigation:
Preventive Measures:
Long-term Strategy:
PDF Download: A New Threat Targeting Windows, Linux, and VMware ESXi Systems
References
Paganini, P. (2024, September 2). A new variant of Cicada ransomware targets VMware ESXi systems. Security Affairs. https://securityaffairs.com/167897/cyber-crime/a-new-variant-of-cicada-ransomware-targets-vmware-esxi-systems.html
Toulas, B. (2024, September 2). Linux version of new Cicada ransomware targets VMware ESXi servers. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux-encryptor-targets-vmware-esxi-systems/