A new ransomware-as-a-service (RaaS) operation anointed Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked organizations worldwide. The new cybercrime operation is called after the mysterious 2012-2014 online/real-world game that involved elaborate cryptographic puzzles and used the same logo for advertising on cybercrime platforms.

However, there's no relationship between the two, and the Fair Project has allocated a remark to renounce any organization and charge the ransomware operators' activities. The Cicada3301 RaaS first began promoting the operation and drafting affiliates on June 29, 2024, in a forum post to the ransomware and cybercrime medium known as RAMP. However, it is conscious of Cicada attacks as early as June 6, signifying that the team was working independently before attempting to recruit companions.

Like other ransomware operations, Cicada3301 executes double-extortion tactics where they breach corporate networks, rob information, and then encrypt appliances. The encryption key and the dangers of leaking stolen data are then used as leverage to scare targets into producing a ransom. The hazard actors operate a data leak site that is used as part of their double-extortion scheme.

An investigation of the new malware by Truesec demonstrated considerable overlaps between Cicada3301 and ALPHV/BlackCat, signifying a potential rebrand or a fork formed by former ALPHV's core crew partners.

This is based on the fact that: 

• Both are written in Rust.
• Both Use the ChaCha20 algorithm for encryption.
• Both operate identical VM shutdown and snapshot-wiping authorities.
• Both use the same user interface command parameters, the same file naming convention, and the same ransom note decryption procedure.
• Both use intermittent encryption on more extensive files.

For context, ALPHV conducted an exit scam before March 2024 involving fake claims about an FBI takedown operation after they stole a huge $22 million payment from Change Healthcare from one of their affiliates. Truesec has also found indications that the Cicada3301 ransomware operation may partner with or use the Brutus botnet for initial access to corporate networks. That botnet was previously associated with global-scale VPN brute-forcing activities targeting Cisco, Fortinet, Palo Alto, and SonicWall devices. It's worth mentioning that the Brutus activity was first spotted two weeks after ALPHV shut down operations, so the connection between the two parties still stands in terms of timelines.

Another emerging threat to VMware ESXi

Cicada3301 is a Rust-based ransomware operation with both Windows and Linux/VMware ESXi encryptors. As part of Truesec's report, the investigators examined the VMWare ESXi Linux encryptor for the ransomware operation. Like BlackCat and other ransomware families, such as RansomHub, a unique key must be documented as a command line statement to launch the encryptor. This key is used to decrypt an encrypted JSON blob that contains the composition that the encryptor will use when encrypting a machine.

Truesec states that the encryptor reviews the reality of the key by utilizing it to decrypt the ransom note and, if victorious, resumes with the rest of the encryption operation. Its main function (linux_enc) uses the ChaCha20 stream cipher for file encryption and then encrypts the symmetric key used in the process with an RSA key. The encryption keys are developed randomly using the 'OsRng' function.

Cicada3301 marks distinguishing file attachments corresponding records and media files and checks their size to resolve where to apply intermittent encryption (>100MB) and where to encrypt the entire file contents (<100MB). When encrypting files, the encryptor will append a spontaneous seven-character extension to the file title and create ransom messages called 'RECOVER-[extension]-DATA.txt,' as indicated beneath. It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note called 'RECOVER-[extension]-FILES.txt.'

The ransomware's operators can set a sleep parameter to delay the encryptor's execution, potentially to avoid immediate detection. A "no_vm_ss" parameter also orders the malware to encrypt VMware ESXi virtual devices without attempting to close them down first. However, by default, Cicada3301 first uses ESXi's 'esxcli' and 'vim-cmd' commands to shut down virtual appliances and delete their snapshots before encrypting data.

Cicada3301's moves and speed of victory signify a professional actor who understands what they're doing, also helping the hypothesis of an ALPHV reboot or at least utilizing affiliates with primary ransomware experience. The new ransomware's emphasis on ESXi environments highlights its strategic design to maximize harm in business circumstances that many hazard actors now target for lucrative profits. By combining file encryption with the capacity to disrupt VM operations and terminate recovery options, Cicada3301 provides a high-impact attack that involves whole networks and infrastructures, maximizing the stress positioned on victims.