Security researchers have uncovered new double extortion ransomware with distinct links to the ALPHV/BlackCat variant and the Brutus botnet.
Dubbed “Cicada3301” after an online cryptography game, the group targets VMware ESXi environments with a view to shutting down VMs, deleting snapshots and encrypting data, according to Truesec.
According to the researchers, the group’s first data leak site post came on June 25, followed by an invitation to budding affiliates four days later to join the platform, on cybercrime forum Ramp.
The report noted that only a few groups are known to have used ESXi ransomware written in Rust, with the now-defunct ALPHV group one of them.
Other similarities with the groups include:
- Both use ChaCha20 for encryption
- Both use almost identical commands to shutdown VM and remove snapshots
- Both use –ui command parameters to provide a graphic output on encryption
- Both use the same convention for naming files, but changing “RECOVER-“ransomware extension”-FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”
- How the key parameter is used to decrypt the ransomware note
“The initial attack vector was the threat actor using valid credentials, either stolen or brute forced, to log in using ScreenConnect,” explained Truesec.
“The IP address 91.92.249.203, used by the threat actor has been tied to a botnet known as ‘Brutus’ that in turn has been linked to a broad campaign of password-guessing various VPN solutions, including ScreenConnect.”
Truesec suggested that the two entities could be connected, as could ALPHV and Cicada3301, although it’s also theoretically possible that a separate group bought the source code when the RaaS operation shut down in March.
For their part, the owners of the original Cicada3301 game released a statement distancing themselves from the new RaaS group.
The ALPHV/BlackCat group appeared to conduct a classic exit scam after receiving a massive $22m ransom from Change Healthcare at the start of the year, leaving affiliates high and dry.
Read more on ALPHV/BlackCat: BlackCat Ransomware Gang Targets Businesses Via Google Ads