New ransomware group hits VMware ESXi systems hard
A new ransomware group is active that specifically targets VMware’s ESXi hypervisors.
Cybersecurity researchers at Truesec recently issued an alert about a threat actor named Cicada3301, who appears to be operating a ransomware encryptor of the same name.
The group appears to have taken its name from the online cryptography puzzle game that was popular about a decade ago, but otherwise there appears to be no connection between the two.
SLOW#TEMPEST
Truesec says that Cicada3301 has two encryptors, one for Windows devices and another for VMware ESXi. So far, the hackers have successfully compromised 19 victims, according to information on their data breach site, BleepingComputer defeated.
The same source also states that Cicada3301 most likely commenced operations in the first week of June this year and began recruiting its own affiliates towards the end of the same month. It also claims that the decision to target ESXi environments means that the group is looking to “maximize damage in enterprise environments,” as enterprises tend to pay better.
Upon further analysis of the encryptor, researchers found a lot of overlap between Cicada3301 and ALPHV/BlackCat, suggesting that it is either the same entity, simply rebranded, or a fork built by affiliates. Those with a longer memory will remember BlackCat, a notorious Ransomware-as-a-Service (RaaS) that reportedly “took the money and ran” after successfully attacking Change Healthcare.
In late February and early March of this year, healthcare giant Change Healthcare was targeted by an ALPHV branch. The company reportedly paid $22 million in cryptocurrency in exchange for the decryptor and its associated data. However, the money never made it to the branches that did the work. Instead, the RaaS operators took everything and simply disappeared. They shut down the entire infrastructure, ripped everything out, and disappeared into thin air.
The subsidiary that hacked Change Healthcare, leaving behind a significant corporate archive, was later rebranded as RansomHub and has since carried out a number of successful hacks.