New ransomware group is hitting VMware ESXi systems hard
Researchers spot a new ransomware actor called Cicada3301
There is a new ransomware group out there, and it seems to be specifically targeting VMware’s ESXi hypervisors.
Cybersecurity researchers from Truesec have recently issued a warning about a threat actor called Cicada3301, which seems to be operating a ransomware encryptor of the same name.
The group looks to have picked up the name from the online cryptographic puzzle game that was popular roughly a decade ago, but other than that, there seems to be no connection between the two.
SLOW#TEMPEST
Truesec says that Cicada3301 has two encryptors, one for Windows devices, and another one for VMware ESXi. So far, the hackers successfully compromised 19 victims, as per the information on its data leak site, BleepingComputer reports.
The same source also states that Cicada3301 most likely kicked off its operations in the first week of June this year, and started recruiting affiliates of its own, at the end of the same month. It also argues that the decision to target ESXi environments means the group is out to “maximize damage in enterprise environments,” since enterprises usually pay better.
Further analyzing the encryptor, the researchers found plenty of overlap between Cicada3301 and ALPHV/BlackCat, suggesting that it’s either the same entity, just rebranded, or a fork built by affiliates. Those with longer memory will remember BlackCat, an infamous Ransomware-as-a-Service (RaaS) which allegedly “took the money and ran” after a successful attack on Change Healthcare.
In late February and early March this year, healthcare giant Change Healthcare was targeted by an ALPHV affiliate. The company allegedly paid $22 million in cryptocurrency, in exchange for the decryptor and its data. However, the money never made it to the affiliates who did the work. Instead, the RaaS operators took all of it and simply disappeared. They shut down the entire infrastructure, pulled everything and vanished into thin air.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The affiliate that breached Change Healthcare and was left holding a sizeable company archive, later rebranded as RansomHub and has since made a number of successful breaches.
More from TechRadar Pro
- BlackCat ransomware gang shuts down servers after multi-million dollar UnitedHealth payout — but is this really the end?
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.