Safety researchers have uncovered new double extortion ransomware with distinct hyperlinks to the ALPHV/BlackCat variant and the Brutus botnet.
Dubbed “Cicada3301” after a web based cryptography recreation, the group targets VMware ESXi environments with a view to shutting down VMs, deleting snapshots and encrypting knowledge, in line with Truesec.
In line with the researchers, the group’s first knowledge leak web site publish got here on June 25, adopted by an invite to budding associates 4 days later to affix the platform, on cybercrime discussion board Ramp.
The report famous that just a few teams are recognized to have used ESXi ransomware written in Rust, with the now-defunct ALPHV group one in every of them.
Different similarities with the teams embrace:
- Each use ChaCha20 for encryption
- Each use nearly an identical instructions to shutdown VM and take away snapshots
- Each use –ui command parameters to supply a graphic output on encryption
- Each use the identical conference for naming information, however altering “RECOVER-“ransomware extension”-FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”
- How the important thing parameter is used to decrypt the ransomware observe
“The preliminary assault vector was the menace actor utilizing legitimate credentials, both stolen or brute compelled, to log in utilizing ScreenConnect,” defined Truesec.
“The IP tackle 91.92.249.203, utilized by the menace actor has been tied to a botnet often known as ‘Brutus’ that in flip has been linked to a broad marketing campaign of password-guessing numerous VPN options, together with ScreenConnect.”
Truesec recommended that the 2 entities could possibly be linked, as might ALPHV and Cicada3301, though it’s additionally theoretically doable {that a} separate group purchased the supply code when the RaaS operation shut down in March.
For his or her half, the house owners of the unique Cicada3301 recreation launched an announcement distancing themselves from the brand new RaaS group.
The ALPHV/BlackCat group appeared to conduct a basic exit rip-off after receiving a large $22m ransom from Change Healthcare at the beginning of the yr, leaving associates excessive and dry.
Learn extra on ALPHV/BlackCat: BlackCat Ransomware Gang Targets Companies Through Google Adverts
