2024-08-30 Cicada ESXi Ransomware Sample
Cicada3301, a ransomware group first detected in June 2024, appears to be either a rebranded or derivative version of the ALPHV ransomware group, employing a ransomware-as-a-service (RaaS) model. The ransomware, written in Rust, targets both Windows and Linux/ESXi environments, utilizing ChaCha20 for encryption. Technical analysis reveals several key similarities with ALPHV: both use nearly identical command structures for shutting down VMs and removing snapshots, and share a similar file-naming convention. The ransomware's binary is an ELF file, with its Rust origin confirmed through string references and investigation of the .comment section.
Key parameters include sleep, which delays the ransomware's execution, and ui, which displays the encryption progress on the screen. The key parameter is crucial for decryption; if it's not provided or incorrect, the ransomware will stop running. The main function, linux_enc, starts the encryption process by generating a random key using OsRng. Files larger than 100 MB are encrypted in parts, while smaller files are encrypted entirely using ChaCha20. The ChaCha20 key is then secured with an RSA public key and added, along with a specific file extension, to the end of the encrypted file.
Initial access appears to be facilitated by the Brutus botnet, with threat actors using stolen or brute-forced credentials to gain entry via ScreenConnect. The IP address associated with this attack is tied to the Brutus botnet, raising the possibility of a direct connection between the botnet operators and Cicada3301. The ransomware also features a decryption check routine, where an encoded and encrypted ransomware note stored within the binary is decrypted using the provided key, validating the correct decryption.
The article didn't include any hashes, only the YARA rule. While this sample doesn't trigger a match with the rule, I believe it's the same malware