Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
“It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector,” cybersecurity company Morphisec said in a technical report shared with The Hacker News.
Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.
A notable aspect of the ransomware is that the executable embeds the compromised user’s credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.
Cicada3301’s similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.
Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.
Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.
Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions – sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.
The findings follow Truesec’s analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.
“Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected,” the company noted.
The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named “no_vm_ss” to encrypt files without shutting down the virtual machines that are running on the host.
The emergence of Cicada3301 has also prompted an eponymous “non-political movement,” which has dabbled in “mysterious” cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.
