New ALPHV-like ransomware targets VMware ESXi servers
Researchers at Trusec recently discovered a new ransomware-as-a-service group called Cicada3301. The gang provides its affiliates with a dual extortion platform that includes both a ransomware and a data leakage side. According to the research report, Cicada3301 first appeared in June 2024 and specializes in Windows and Linux ESXi hosts.
Similarities to ALPHV
In their analysis, the security researchers found that the group has similarities to the now-defunct cybergang ALPHV (also known as BlackCat), noting that both Cicada3301 and ALPHV ransomware have been written in Rust and use ChaCha20 for encryption. They also use nearly identical commands for shutting down VMs and removing snapshots, and “both use -ui command parameters to provide a graphic output on encryption,” the researchers wrote.
The group takes its name from Cicada 3301, an infamous “internet mystery” that involved three sets of puzzles launched online from 2012 to 2014.