Cybersecurity Snapshots - Cicada3301 Ransomware

By aekwall 

In late 2023, the FBI was able to disrupt the Blackcat/ALPHV ransomware group by hacking the hackers. The FBI was able to obtain a decryption tool and provided it to 500 victims around the world. At its height, Blackcat/ALPHV had over 1,000 victims. Before being disrupted, Blackcat/ALPHV was the second most prolific Ransomware-as-a-Service (RaaS) variant in the world. Following the law enforcement takedown, Blackcat/ALPHV announced that it was boosting the affiliate fees to 90% of the received payments, as an incentive to get their operation back on track fast. After complaints from affiliates who claimed they had not been paid, a Blackcat/ALPHV representative reported that the RaaS operation had been shut down, blaming law enforcement for it. The leak site the group set up after the December 2023 disruption currently displays an alleged takedown notice. However, researchers at Emisoft say that the notice is a coverup. Blackcat/ALPHV performed an exit scam in early March and then went quiet.

Now, researchers believe that the Blackcat/ALPHV ransomware gang might have resurfaced in the form of Cicada3301. The researchers noted that Cicada3301 is written in Rust and has multiple similarities to Blackcat/ALPHV. Since June 2024, Cicada3301 has made over 30 victims, mainly among small and medium-sized businesses (SMBs) in the healthcare, hospitality, manufacturing/industrial, and retail industries in North America and the UK.

According to security researchers at Morphaisec, several Cicada3301 core characteristics are reminiscent of Blackcat/ALPHV. It features a well-defined parameter configuration interface, registers a vector exception handler, and employs similar methods for shadow copy deletion and tampering.

Security researchers at IBM X-Force also saw similarities between the two ransomware families. The researchers noted that the two ransomware families were compiled using the same toolset, likely because the new Ransomware-as-a-Service (RaaS) group has either seen the Blackcat/ALPHV code base or are using the same developers. The researchers also observed infrastructure overlaps and similarities in tools used during attacks. Cicada3301 is relying on Remote Desktop Protocol (RDP) as an initial access vector, likely employing stolen credentials. The researchers noted that despite the numerous similarities, Cicada3301 is not a Blackcat/ALPHV clone, as it "embeds compromised user credentials within the ransomware itself."

Security researchers at Group-IB were able to infiltrate Cicada3301's control panel and noted that there are only a few major differences between the two: Cicada3301 has only six command line options, has no embedded configuration, has a different naming convention in the ransom note, and its encryptor requires entering the correct initial activation key to start. The researchers noted that the access key is used to decrypt the Blackcat/ALPHV configuration, yet the key entered on the command line in Cicada3301 is used to decrypt the ransom note. According to security researchers at Group-IB, Cicada3301 uses ChaCha20 and RSA encryption with configurable modes, shuts down virtual machines, terminates specific processes and services, deletes shadow copies, encrypts network shares, and increases overall effectiveness by running tens of simultaneous encryption threads. Cicada3301 is aggressively marketing to recruit affiliates for the RaaS, claiming a 20% cut of the ransom payments and providing interested individuals with access to a web interface panel featuring news about the malware, victim management, chats, account information, and an FAQ section. Cicada3301 is expected to keep growing, so security researchers are warning that companies need to practice good cyber hygiene and be on the lookout for indicators of compromise. 

To see previous articles, please visit the Cybersecurity Snapshots Archive.