Rustic Ransomware Cicada3301 Sets Sights on Windows and Linux Systems
A group of cybersecurity researchers has revealed the workings of a fresh ransomware variant known as Cicada3301, which exhibits parallels with the now-defunct BlackCat (alias ALPHV) initiative.
“Cicada3301 ransomware seems to primarily concentrate on small to mid-sized enterprises (SMBs), possibly using random attacks to exploit weaknesses as the main mode of entry,” noted cybersecurity company Morphisec in a technical overview shared with The Hacker News.
Developed in Rust and with the ability to target both Windows and Linux/ESXi systems, Cicada3301 made its debut in June 2024, welcoming potential partners to sign up for their ransomware-as-a-service (RaaS) platform through an invitation listed on the RAMP underground forum.
An interesting aspect of the ransomware is that the executable file embeds the compromised user’s credentials, which are then harnessed to execute PsExec, a legitimate tool that facilitates remote program execution.
The resemblances between Cicada3301 and BlackCat also extend to the use of ChaCha20 for encryption, fsutil for assessing symbolic links and encrypting redirected files, along with the utilization of IISReset.exe to halt the IIS services and lock files that might otherwise remain inaccessible for modification or deletion.
Other parallels to BlackCat involve the deletion of shadow copies, the disabling of system recovery by adjusting the bcdedit utility, boosting the MaxMpxCt value to facilitate increased traffic volumes (like SMB PsExec requests), and wiping out all event logs through the usage of the wevtutil tool.
Cicada3301 has been seen to halt locally deployed virtual machines (VMs), a tactic previously employed by the Megazord ransomware and the Yanluowang ransomware, as well as stopping various backup and recovery tools and a predefined list of numerous processes.
In addition to keeping a predefined inventory of excluded files and directories during encryption, the ransomware targets a total of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec’s probe also revealed additional utilities such as EDRSandBlast that exploit a vulnerable signed driver to evade EDR detections, a strategy previously utilized by the BlackByte ransomware faction.
The discoveries come from Truesec’s study of the ESXi version of Cicada3301, which also revealed signs that the team may have collaborated with the operators of the Brutus botnet to secure initial access to corporate networks.
“Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware developed by the identical developer as ALPHV, or they have simply reproduced parts of ALPHV to create their ransomware, the timeline implies the end of BlackCat and the rise of initially the Brutus botnet and then the Cicada3301 ransomware operation may potentially be intertwined,” the organization highlighted.
The attacks against VMware ESXi systems also involve utilizing periodic encryption for files larger than a particular threshold (100 MB) and a “no_vm_ss” parameter for encrypting files without closing down the virtual machines operating on the host.
The appearance of Cicada3301 has also triggered a self-titled “non-political movement,” which has ventured into “mysterious” cryptographic puzzles, to release a declaration disavowing any connection to the ransomware plot.
About Author
