Cybersecurity researchers have unpacked the inside workings of a brand new ransomware variant referred to as Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
“It seems that Cicada3301 ransomware primarily targets small to medium-sized companies (SMBs), probably by means of opportunistic assaults that exploit vulnerabilities because the preliminary entry vector,” cybersecurity firm Morphisec mentioned in a technical report shared with The Hacker Information.
Written in Rust and able to focusing on each Home windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential associates to hitch their ransomware-as-a-service (RaaS) platform through an commercial on the RAMP underground discussion board.
A notable side of the ransomware is that the executable embeds the compromised consumer’s credentials, that are then used to run PsExec, a legit software that makes it potential to run packages remotely.
Cicada3301’s similarities with BlackCat additionally prolong to its use of ChaCha20 for encryption, fsutil to judge symbolic hyperlinks and encrypt redirected information, in addition to IISReset.exe to cease the IIS companies and encrypt information that will in any other case be locked for for modification or deletion.
Different overlaps to BlackCat embody steps undertaken to delete shadow copies, disable system restoration by manipulating the bcdedit utility, enhance the MaxMpxCt worth to assist greater volumes of site visitors (e.g., SMB PsExec requests), and clear all occasion logs by using the wevtutil utility.
Cicada3301 has additionally noticed stopping regionally deployed digital machines (VMs), a conduct beforehand adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating numerous backup and restoration companies and a hard-coded checklist of dozens of processes.
Moreover sustaining a built-in checklist of excluded information and directories throughout the encryption course of, the ransomware targets a complete of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, uncooked, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec mentioned its investigation additionally uncovered extra instruments like EDRSandBlast that weaponize a susceptible signed driver to bypass EDR detections, a way additionally adopted by the BlackByte ransomware group up to now.
The findings observe Truesec’s evaluation of the ESXi model of Cicada3301, whereas additionally uncovering indications that the group might have teamed up with the operators of the Brutus botnet to acquire preliminary entry to enterprise networks.
“No matter whether or not Cicada3301 is a rebrand of ALPHV, they’ve a ransomware written by the identical developer as ALPHV, or they’ve simply copied elements of ALPHV to make their very own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation might presumably be all related,” the corporate famous.
The assaults towards VMware ESXi programs additionally entail utilizing intermittent encryption to encrypt information bigger than a set threshold (100 MB) and a parameter named “no_vm_ss” to encrypt information with out shutting down the digital machines which are operating on the host.
The emergence of Cicada3301 has additionally prompted an eponymous “non-political motion,” which has dabbled in “mysterious” cryptographic puzzles, to difficulty an announcement that it has no connection to the ransomware scheme.
