Cybersecurity researchers have unpacked the interior workings of a brand new ransomware variant referred to as Cicada3301 that stocks similarities with the now-defunct BlackCat (aka ALPHV) operation.
“Apparently that Cicada3301 ransomware basically goals small to medium-sized companies (SMBs), most probably via opportunistic assaults that exploit vulnerabilities because the preliminary get entry to vector,” cybersecurity corporate Morphisec mentioned in a technical document shared with The Hacker Information.
Written in Rust and able to concentrated on each Home windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting attainable associates to enroll in their ransomware-as-a-service (RaaS) platform by way of an commercial at the RAMP underground discussion board.
A notable side of the ransomware is that the executable embeds the compromised person’s credentials, which might be then used to run PsExec, a sound instrument that makes it imaginable to run techniques remotely.
Cicada3301’s similarities with BlackCat additionally prolong to its use of ChaCha20 for encryption, fsutil to judge symbolic hyperlinks and encrypt redirected information, in addition to IISReset.exe to forestall the IIS services and products and encrypt information that can in a different way be locked for for amendment or deletion.
Different overlaps to BlackCat come with steps undertaken to delete shadow copies, disable machine restoration by way of manipulating the bcdedit application, building up the MaxMpxCt worth to beef up upper volumes of site visitors (e.g., SMB PsExec requests), and transparent all match logs through the use of the wevtutil application.
Cicada3301 has additionally seen preventing in the neighborhood deployed digital machines (VMs), a conduct in the past followed by way of the Megazord ransomware and the Yanluowang ransomware, and terminating more than a few backup and restoration services and products and a hard-coded checklist of dozens of processes.
But even so keeping up a integrated checklist of excluded information and directories all over the encryption procedure, the ransomware goals a complete of 35 report extensions – sql, document, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, uncooked, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec mentioned its investigation additionally exposed further gear like EDRSandBlast that weaponize a susceptible signed driving force to avoid EDR detections, one way additionally followed by way of the BlackByte ransomware team up to now.
The findings apply Truesec’s research of the ESXi model of Cicada3301, whilst additionally uncovering indications that the gang can have teamed up with the operators of the Brutus botnet to procure preliminary get entry to to undertaking networks.
“Without reference to whether or not Cicada3301 is a rebrand of ALPHV, they have got a ransomware written by way of the similar developer as ALPHV, or they have got simply copied portions of ALPHV to make their very own ransomware, the timeline suggests the loss of life of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation would possibly in all probability be all attached,” the corporate famous.
The assaults in opposition to VMware ESXi techniques additionally entail the usage of intermittent encryption to encrypt information higher than a suite threshold (100 MB) and a parameter named “no_vm_ss” to encrypt information with out shutting down the digital machines which might be working at the host.
The emergence of Cicada3301 has additionally induced an eponymous “non-political motion,” which has dabbled in “mysterious” cryptographic puzzles, to factor a remark that it has no connection to the ransomware scheme.