Cybersecurity researchers have recently analyzed a new ransomware variant called Cicada3301, which bears similarities to the now-defunct BlackCat (aka ALPHV) operation.
According to a technical report by cybersecurity company Morphisec shared with The Hacker News, Cicada3301 ransomware targets small to medium-sized businesses (SMBs) through opportunistic attacks exploiting vulnerabilities as the initial access vector.
This ransomware, written in Rust, is capable of targeting both Windows and Linux/ESXi hosts. It emerged in June 2024 and invited potential affiliates to join their ransomware-as-a-service (RaaS) platform on the RAMP underground forum.
An interesting feature of Cicada3301 ransomware is the embedding of compromised user credentials, which are then used to run PsExec, a legitimate tool for remote program execution.
Similar to BlackCat, Cicada3301 uses ChaCha20 encryption, fsutil for evaluating symbolic links and encrypting redirected files, and IISReset.exe for stopping IIS services and encrypting locked files. It also deletes shadow copies, disables system recovery, and performs various other malicious activities.
In addition to excluding files and directories during encryption, Cicada3301 targets 35 file extensions for encryption. It also utilizes tools like EDRSandBlast to bypass EDR detections.
The analysis of Truesec revealed Cicada3301’s behavior on VMware ESXi systems, indicating potential collaboration with the operators of the Brutus botnet to gain initial access to enterprise networks.
The emergence of Cicada3301 has also sparked a non-political movement unrelated to the ransomware, known for its mysterious cryptographic puzzles.
For more information, you can refer to the full report here.
Stay informed and protect your systems against evolving ransomware threats like Cicada3301.
