Cybersecurity researchers have unpacked the internal workings of a brand new ransomware variant known as Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
“It seems that Cicada3301 ransomware primarily targets small to medium-sized companies (SMBs), doubtless by opportunistic assaults that exploit vulnerabilities because the preliminary entry vector,” cybersecurity firm Morphisec stated in a technical report shared with The Hacker Information.
Written in Rust and able to concentrating on each Home windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential associates to affix their ransomware-as-a-service (RaaS) platform through an commercial on the RAMP underground discussion board.
A notable facet of the ransomware is that the executable embeds the compromised person’s credentials, that are then used to run PsExec, a reputable device that makes it doable to run packages remotely.
Cicada3301’s similarities with BlackCat additionally prolong to its use of ChaCha20 for encryption, fsutil to guage symbolic hyperlinks and encrypt redirected recordsdata, in addition to IISReset.exe to cease the IIS providers and encrypt recordsdata that will in any other case be locked for for modification or deletion.
Different overlaps to BlackCat embody steps undertaken to delete shadow copies, disable system restoration by manipulating the bcdedit utility, enhance the MaxMpxCt worth to help greater volumes of site visitors (e.g., SMB PsExec requests), and clear all occasion logs by using the wevtutil utility.
Cicada3301 has additionally noticed stopping domestically deployed digital machines (VMs), a conduct beforehand adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating varied backup and restoration providers and a hard-coded checklist of dozens of processes.
Moreover sustaining a built-in checklist of excluded recordsdata and directories throughout the encryption course of, the ransomware targets a complete of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, uncooked, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec stated its investigation additionally uncovered extra instruments like EDRSandBlast that weaponize a weak signed driver to bypass EDR detections, a way additionally adopted by the BlackByte ransomware group up to now.
The findings comply with Truesec’s evaluation of the ESXi model of Cicada3301, whereas additionally uncovering indications that the group could have teamed up with the operators of the Brutus botnet to acquire preliminary entry to enterprise networks.
“No matter whether or not Cicada3301 is a rebrand of ALPHV, they’ve a ransomware written by the identical developer as ALPHV, or they’ve simply copied components of ALPHV to make their very own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation could presumably be all related,” the corporate famous.
The assaults in opposition to VMware ESXi methods additionally entail utilizing intermittent encryption to encrypt recordsdata bigger than a set threshold (100 MB) and a parameter named “no_vm_ss” to encrypt recordsdata with out shutting down the digital machines which might be working on the host.
The emergence of Cicada3301 has additionally prompted an eponymous “non-political motion,” which has dabbled in “mysterious” cryptographic puzzles, to challenge a assertion that it has no connection to the ransomware scheme.