Cybersecurity researchers have unpacked the interior workings of a brand new ransomware variant referred to as Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
“It seems that Cicada3301 ransomware primarily targets small to medium-sized companies (SMBs), doubtless by way of opportunistic assaults that exploit vulnerabilities because the preliminary entry vector,” cybersecurity firm Morphisec stated in a technical report shared with The Hacker Information.
Written in Rust and able to concentrating on each Home windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential associates to hitch their ransomware-as-a-service (RaaS) platform by way of an commercial on the RAMP underground discussion board.
A notable facet of the ransomware is that the executable embeds the compromised person’s credentials, that are then used to run PsExec, a respectable instrument that makes it doable to run packages remotely.
Cicada3301’s similarities with BlackCat additionally prolong to its use of ChaCha20 for encryption, fsutil to judge symbolic hyperlinks and encrypt redirected information, in addition to IISReset.exe to cease the IIS providers and encrypt information which will in any other case be locked for for modification or deletion.
Different overlaps to BlackCat embody steps undertaken to delete shadow copies, disable system restoration by manipulating the bcdedit utility, enhance the MaxMpxCt worth to assist greater volumes of visitors (e.g., SMB PsExec requests), and clear all occasion logs by using the wevtutil utility.
Cicada3301 has additionally noticed stopping regionally deployed digital machines (VMs), a conduct beforehand adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating numerous backup and restoration providers and a hard-coded listing of dozens of processes.
Moreover sustaining a built-in listing of excluded information and directories in the course of the encryption course of, the ransomware targets a complete of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, uncooked, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec stated its investigation additionally uncovered extra instruments like EDRSandBlast that weaponize a susceptible signed driver to bypass EDR detections, a way additionally adopted by the BlackByte ransomware group up to now.
The findings comply with Truesec’s evaluation of the ESXi model of Cicada3301, whereas additionally uncovering indications that the group might have teamed up with the operators of the Brutus botnet to acquire preliminary entry to enterprise networks.
“No matter whether or not Cicada3301 is a rebrand of ALPHV, they’ve a ransomware written by the identical developer as ALPHV, or they’ve simply copied components of ALPHV to make their very own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation might presumably be all linked,” the corporate famous.
The assaults in opposition to VMware ESXi techniques additionally entail utilizing intermittent encryption to encrypt information bigger than a set threshold (100 MB) and a parameter named “no_vm_ss” to encrypt information with out shutting down the digital machines which might be operating on the host.
The emergence of Cicada3301 has additionally prompted an eponymous “non-political motion,” which has dabbled in “mysterious” cryptographic puzzles, to situation a assertion that it has no connection to the ransomware scheme.
