New Cicada Ransomware Variant Targets VMware ESXi

A recently emerging ransomware-as-a-service (RaaS) operation is masquerading as the enigmatic Cicada 3301 organization, infamous for its cryptographic puzzles from 2012 to 2014.  

This cybercriminal group, despite adopting the Cicada 3301 name and logo, has no ties to the original project, which has publicly denounced any connection with the ransomware activity. The operation has already targeted 19 companies globally, posting them on its extortion portal.

‍

Analysis suggests that this new ransomware shares significant similarities with the ALPHV/BlackCat ransomware, indicating a potential rebranding or a fork by former ALPHV developers, Bleeping Computer reports.  

‍

Both ransomware variants are written in Rust, use the ChaCha20 encryption algorithm, and share other technical characteristics, such as VM shutdown commands and ransom note decryption methods.  

‍

This resemblance points to a possible continuation of ALPHV's operations under a new guise, particularly after ALPHV's exit scam in March 2024, where they falsely claimed an FBI takedown and absconded with a $22 million payment.

‍

Moreover, there are signs that the Cicada3301 ransomware group might be collaborating with the Brutus botnet operators, known for VPN brute-forcing activities.  

‍

This botnet was first detected shortly after ALPHV's shutdown, suggesting a potential connection between the two.

‍

Takeaway: Cicada3301, a threat actor group that emerged in June 2024, has quickly gained prominence by adopting a novel approach to ransomware operations by diverging from traditional ransomware tactics.  

‍

Until recently, it appeared that Cicada3301 was operating more as a data broker specializing in the exfiltration, sale, and distribution of stolen information rather than focusing on delivery of an encryption payload.

‍

This approach highlights an emerging trend in ransomware operations with some groups moving towards sustained exploitation and profits through data monetization.  

‍

The group exerts pressure on its victims by threatening to publicly release stolen data, but their primary goal does not appear to be extortion through ransom payments, but instead, Cicada3301 monetizes the exfiltrated data by selling it on dark web marketplaces.

‍

Cicada3301's operations are characterized by their ability to infiltrate networks and steal valuable information, which is then auctioned off to the highest bidder. They maintain a leak site where samples of stolen data are published, serving as both a warning to potential victims and a marketing tool for prospective buyers.

‍

Notably, Cicada3301 has targeted organizations with valuable intellectual property, proprietary business data, and sensitive client information, leading to significant operational disruptions and reputational harm.  

‍

Cicada3301's attacks are typically marked by deep reconnaissance, exploitation of unpatched systems, and the use of custom scripts to infiltrate networks and exfiltrate large volumes of sensitive data.  

‍

Their operations are highly sophisticated and underscore the fact that for many organizations, the exfiltration of sensitive data may cause the organization mor damage than the delivery of a ransomware payload.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.