{"id":131,"date":"2024-09-04T19:13:23","date_gmt":"2024-09-04T19:13:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=131"},"modified":"2024-09-04T19:13:23","modified_gmt":"2024-09-04T19:13:23","slug":"new-alphv-like-ransomware-targets-vmware-esxi-servers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=131","title":{"rendered":"New ALPHV-like ransomware targets VMware ESXi servers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Researchers at\u00a0Trusec\u00a0recently discovered a new ransomware-as-a-service group called Cicada3301. The gang provides its affiliates with a dual extortion platform that includes both a ransomware and a data leakage side. According to the <a href=\"https:\/\/www.truesec.com\/hub\/blog\/dissecting-the-cicada\">research report<\/a>, Cicada3301 first appeared in June 2024 and specializes in Windows and Linux\u00a0<a href=\"https:\/\/www.csoonline.com\/article\/574479\/massive-ransomware-attack-targets-vmware-esxi-servers-worldwide.html\" target=\"_blank\" rel=\"noopener\">ESXi<\/a>\u00a0hosts.<\/p>\n<h2 class=\"wp-block-heading\">Similarities to ALPHV<\/h2>\n<p>In their analysis, the security researchers found that the group has similarities to the <a href=\"https:\/\/www.csoonline.com\/article\/2121702\/emerging-ransomware-groups-on-the-rise-who-they-are-how-they-operate.html\">now-defunct cybergang ALPHV<\/a> (also known as BlackCat), noting that both Cicada3301 and ALPHV ransomware have been written in Rust and use ChaCha20 for encryption. They also use nearly identical commands for shutting down VMs and removing snapshots, and \u201cboth use -ui command parameters to provide a graphic output on encryption,\u201d the researchers wrote.<\/p>\n<p>The group takes its name from Cicada 3301, an infamous \u201c<a href=\"https:\/\/www.youtube.com\/watch?v=I2O7blSSzpI\">internet mystery<\/a>\u201d that involved three sets of puzzles launched online from 2012 to 2014.<\/p>\n<p>In the attack investigated by the researchers, the hackers used valid ScreenConnect login credentials for the initial break-in. The criminals\u2019 IP address was traced back to a botnet called \u201cBrutus.\u201d According to the report, Brutus is linked to a larger credential stuffing campaign on various VPN programs, including ScreenConnect.<\/p>\n<p>A critical ScreenConnect flaw was seen <a href=\"https:\/\/www.csoonline.com\/article\/1309007\/critical-connectwise-screenconnect-flaw-exploited-in-the-wild.html\">exploited in the wild<\/a> earlier this year.<\/p>\n<p>Since the IP address was only noticed a few hours earlier, the researchers assume that the access data was not sold in that short time. They also discovered another clue that could indicate a connection with the ALPHV gang: The Brutus botnet activities started around two weeks after ALPHV disappeared from the scene with a final scam.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Researchers at\u00a0Trusec\u00a0recently discovered a new ransomware-as-a-service group called Cicada3301. The gang provides its affiliates with a dual extortion platform that includes both a ransomware and a data leakage side. According to the research report, Cicada3301 first appeared in June 2024 and specializes in Windows and Linux\u00a0ESXi\u00a0hosts. Similarities to ALPHV In their analysis, the security researchers [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":132,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/131"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=131"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/131\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/132"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}