Cybersecurity researchers have unpacked the inside workings of a brand new ransomware variant known as Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
“It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector,” cybersecurity firm Morphisec stated in a technical report shared with The Hacker Information.
Written in Rust and able to concentrating on each Home windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential associates to hitch their ransomware-as-a-service (RaaS) platform through an commercial on the RAMP underground discussion board.
A notable side of the ransomware is that the executable embeds the compromised person’s credentials, that are then used to run PsExec, a professional instrument that makes it attainable to run applications remotely.
Cicada3301’s similarities with BlackCat additionally prolong to its use of ChaCha20 for encryption, fsutil to judge symbolic hyperlinks and encrypt redirected recordsdata, in addition to IISReset.exe to cease the IIS providers and encrypt recordsdata which will in any other case be locked for for modification or deletion.
Different overlaps to BlackCat embrace steps undertaken to delete shadow copies, disable system restoration by manipulating the bcdedit utility, improve the MaxMpxCt worth to assist greater volumes of visitors (e.g., SMB PsExec requests), and clear all occasion logs by using the wevtutil utility.
Cicada3301 has additionally noticed stopping domestically deployed digital machines (VMs), a habits beforehand adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating varied backup and restoration providers and a hard-coded listing of dozens of processes.
Moreover sustaining a built-in listing of excluded recordsdata and directories through the encryption course of, the ransomware targets a complete of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, uncooked, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec stated its investigation additionally uncovered further instruments like EDRSandBlast that weaponize a weak signed driver to bypass EDR detections, a method additionally adopted by the BlackByte ransomware group up to now.
The findings observe Truesec’s evaluation of the ESXi model of Cicada3301, whereas additionally uncovering indications that the group could have teamed up with the operators of the Brutus botnet to acquire preliminary entry to enterprise networks.
“Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected,” the corporate famous.
The assaults in opposition to VMware ESXi methods additionally entail utilizing intermittent encryption to encrypt recordsdata bigger than a set threshold (100 MB) and a parameter named “no_vm_ss” to encrypt recordsdata with out shutting down the digital machines which can be working on the host.
The emergence of Cicada3301 has additionally prompted an eponymous “non-political movement,” which has dabbled in “mysterious” cryptographic puzzles, to challenge a assertion that it has no connection to the ransomware scheme.
