New ALPHV-like ransomware targets VMware ESXi servers

Researchers at Trusec recently discovered a new ransomware-as-a-service group called Cicada3301. The gang provides its affiliates with a dual extortion platform that includes both a ransomware and a data leakage side. According to the research report, Cicada3301 first appeared in June 2024 and specializes in Windows and Linux ESXi hosts.

Similarities to ALPHV

In their analysis, the security researchers found that the group has similarities to the now-defunct cybergang ALPHV (also known as BlackCat), noting that both Cicada3301 and ALPHV ransomware have been written in Rust and use ChaCha20 for encryption. They also use nearly identical commands for shutting down VMs and removing snapshots, and “both use -ui command parameters to provide a graphic output on encryption,” the researchers wrote.

The group takes its name from Cicada 3301, an infamous “internet mystery” that involved three sets of puzzles launched online from 2012 to 2014.

In the attack investigated by the researchers, the hackers used valid ScreenConnect login credentials for the initial break-in. The criminals’ IP address was traced back to a botnet called “Brutus.” According to the report, Brutus is linked to a larger credential stuffing campaign on various VPN programs, including ScreenConnect.

A critical ScreenConnect flaw was seen exploited in the wild earlier this year.

Since the IP address was only noticed a few hours earlier, the researchers assume that the access data was not sold in that short time. They also discovered another clue that could indicate a connection with the ALPHV gang: The Brutus botnet activities started around two weeks after ALPHV disappeared from the scene with a final scam.