Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that bears similarities to the now-defunct Black Cat (aka ALPHV) operation.
“The Cicada3301 ransomware appears to primarily target small and medium-sized businesses (SMBs), likely through opportunistic attacks that use vulnerabilities as an initial access vector,” cybersecurity firm Morphisec said. said in a technical report shared with The Hacker News.
Written in Rust and able to target both Windows and Linux/ESXi hosts, Cicada3301 first appeared in June 2024 inviting potential partners to join their ransomware-as-a-service (RaaS) platform through an advertisement on the underground RAMP forum.
A distinctive aspect of ransomware is that the compromised user’s credentials are embedded in the executable, which is then used to launch PsExeca legitimate tool that allows you to run programs remotely.
Cicada3301’s similarity to BlackCat also extends to the use of ChaCha20 for encryption, on fsut to evaluate symbolic links and encrypt redirected files, and IISReset.exe to stop IIS services and encrypt files that might otherwise be locked for modification or deletion.
Other coincidences with BlackCat include steps taken to remove shadow copies, disable System Restore by manipulating bcdedit usefulness, increase art MaxMpxCt value to support large amounts of traffic (such as SMB PsExec requests) and clear all event logs with the webutil utility.
Cicada3301 also noticed the termination of locally deployed virtual machines (VMs), a behavior that previously Megazord ransomware and Yanluowan ransomware, as well as stopping various backup and recovery services and a hard-coded list of dozens of processes.
Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png , raw, dotx, xltx , pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm and txt.
Morphisec said its research also revealed additional tools such as EDRSandBlast that use a vulnerable signed driver to bypass EDR detection, a technique also adopted BlackByte ransomware group in the past.
The findings come from a Truesec analysis of Cicada3301’s version of ESXi, and also reveal signs that the group may have colluded with carriers Brutus botnet gain initial access to corporate networks.
“Whether Cicada3301 is a rebrand of ALPHV, they have ransomware written by the same developer as ALPHV, or they simply copied parts of ALPHV to create their own ransomware, the graph points to the demise of BlackCat and the appearances of the first Brutus botnet and then the Cicada3301 ransomware operation may be linked,” the company said in a statement. noted.
Attacks against VMware ESXi systems also involve the use of batch encryption to encrypt files larger than a specified threshold (100MB) and a parameter called “no_vm_ss” to encrypt files without powering down virtual machines running on the host.
The emergence of Cicada3301 also spawned an eponymous “non-political movement” that dealt with the “mysterious” cryptographic puzzlesissue a statement that he is not connected to the extortion scheme.
