Skip to main content

Introduction

A new and highly dangerous ransomware group, Cicada3301, has been launching attacks against businesses using VMware ESXi servers. According to security researchers, evasion techniques and the use of advanced Rust-based ransomware show similarities with the ALPHV/Blackcat group, suggesting either a rebranding effort or a collaboration between the two

These VMWare servers, which host multiple virtual machines, are critical to many business operations, and this ransomware can lock businesses out of their entire system. Once they gain access, attackers demand ransom in exchange for the decryption of data. However, the Cyber Security Centre strongly advises against paying ransoms, as it does not guarantee the return of data and only emboldens criminals to strike again.

Detail

Cicada3301 is using advanced tactics, often exploiting known vulnerabilities in VMware ESXi systems. The group is part of a ransomware-as-a-service (RaaS) operation, which means they offer their malicious tools to other criminals. The attack typically begins with the use of stolen credentials to gain access to the victim’s network. Once inside, the attackers target VMware ESXi servers, exploiting known vulnerabilities in these systems to deploy ransomware that encrypts files across virtual machines, locking out businesses from their data and operations. The group then demands a ransom, often in cryptocurrency, promising to restore access to files or refrain from releasing sensitive information publicly.

The combination of techniques used in these attacks make it extremely difficult for organisations to recover without external help or comprehensive backups.

Cybercriminals cannot be trusted to follow through on their promises. There are numerous instances where attackers have taken the ransom but failed to provide a decryption key, or provided a faulty one that doesn't fully restore the data.

Paying the ransom can also put your business on a list of organisations willing to pay, making your organisation a prime target for future attacks.

The transfer of funds to individuals (i.e. designated persons) or jurisdictions that are subject to financial sanctions may breach local and international sanctions legislation and incur heavy penalties.

Recommendations

Organisations should focus on strong preventative measures and having a solid recovery plan in place, which would include, but not limited, the following:

  • Patch and Update Systems Regularly: Ensure that your VMware ESXi servers and all critical software are updated with the latest security patches to close vulnerabilities that ransomware groups may exploit.
  • Strengthen Access Controls: Implement multi-factor authentication (MFA), regularly monitor access logs for any suspicious activity and ensure that strong, unique passwords are used across systems.
  • Endpoint Protection and Network Monitoring: Implement advanced endpoint protection and network monitoring solutions to detect suspicious activity, such as unauthorised access or unusual file behaviour.
  • Backup Data Securely: Keep regular backups of all important data and ensure these backups are stored securely, offline or in a cloud environment.
  • Develop an Incident Response Plan: Have a clear action plan for responding to ransomware attacks, including immediate containment and communication with cybersecurity professionals.

For guidance on Ransomware payments and sanctions legislation, please refer to the ‘Ransomware and Sanctions Guidance’ document.

Organisations are strongly encouraged to report ransomware attacks to the Cyber Security Centre and to the Isle of Man Police. Your report will be treated in strictest confidence.

Topics

  • Advisory