New ransomware group is hitting VMware ESXi systems hard

News
By published

Researchers spot a new ransomware actor called Cicada3301

security
(Image credit: Shutterstock / binarydesign)

There is a new ransomware group out there, and it seems to be specifically targeting VMware’s ESXi hypervisors.

Cybersecurity researchers from Truesec have recently issued a warning about a threat actor called Cicada3301, which seems to be operating a ransomware encryptor of the same name.

The group looks to have picked up the name from the online cryptographic puzzle game that was popular roughly a decade ago, but other than that, there seems to be no connection between the two.

SLOW#TEMPEST

Truesec says that Cicada3301 has two encryptors, one for Windows devices, and another one for VMware ESXi. So far, the hackers successfully compromised 19 victims, as per the information on its data leak site, BleepingComputer reports.

The same source also states that Cicada3301 most likely kicked off its operations in the first week of June this year, and started recruiting affiliates of its own, at the end of the same month. It also argues that the decision to target ESXi environments means the group is out to “maximize damage in enterprise environments,” since enterprises usually pay better.

Further analyzing the encryptor, the researchers found plenty of overlap between Cicada3301 and ALPHV/BlackCat, suggesting that it’s either the same entity, just rebranded, or a fork built by affiliates. Those with longer memory will remember BlackCat, an infamous Ransomware-as-a-Service (RaaS) which allegedly “took the money and ran” after a successful attack on Change Healthcare.

In late February and early March this year, healthcare giant Change Healthcare was targeted by an ALPHV affiliate. The company allegedly paid $22 million in cryptocurrency, in exchange for the decryptor and its data. However, the money never made it to the affiliates who did the work. Instead, the RaaS operators took all of it and simply disappeared. They shut down the entire infrastructure, pulled everything and vanished into thin air.

The affiliate that breached Change Healthcare and was left holding a sizeable company archive, later rebranded as RansomHub and has since made a number of successful breaches.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
data recovery
Ghost ransomware has hit firms in over 70 countries, FBI and CISA warn
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
59 organizations reportedly victim to breaches caused by Cleo software bug
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
More about security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Broadcom warns of worrying security flaws affecting VMware tools
URL phishing

HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Xbox Series X and Xbox wireless controller set to a green background

Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
See more latest
Most Popular
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
Render of a new RTX 4000 Max-Q gaming laptop.
I can't say I'm surprised, but Nvidia's RTX 5090 laptop GPU has a big performance leap over its predecessor, according to early benchmarks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Apple Music on a tablet, showing a new Listening Guide feature
Apple Music Classical just got 3 excellent perks in its biggest upgrade since launch
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Quick move in Civ 7.
Sid Meier's Civilization 7 update 1.1.1 is here and it finally adds a setting that I've wanted since day one
A green claw wraps around the carcass of a monster
Is Lagiacrus coming to Monster Hunter Wilds? Some fans are convinced, and here's why
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI