Security Affairs reports that intrusions by the new Cicada3301 ransomware-as-a-service gang aimed at VMware ESXi servers have compromised nearly two dozen organizations since mid-June.
Attacks by the RaaS operation commence with the infiltration of ScreenConnect via stolen or brute-forced credentials, as well as an IP address previously associated with the Brutus botnet, to facilitate the distribution of the Cicada3301 ransomware, which offers parameters that could enable deferred execution, real-time encryption monitoring, and file encryption even with running virtual machines, a Truesec report revealed.
"After the encryption is done, the ransomware encrypts the ChaCha20 key with the provided RSA key and finally writes the extension to the encrypted file. Adding the encryption file extension The file extension is also added to the end of the encrypted file together with the RSA encrypted ChaCha20 key," said researchers.
Further analysis revealed that Cicada3301 not only had the same programming language, encryption technique, and file naming convention, but also similar VM shutdown and snapshot removal commands as the now-defunct ALPHV/BlackCat ransomware.
