Cybersecurity experts have discovered a new ransomware strain named Cicada3301, bearing similarities to the now inactive BlackCat (also known as ALPHV) operation.
The ransomware primarily targets small and medium-sized businesses (SMBs) through opportunistic attacks that exploit system vulnerabilities, according to a report from a cybersecurity researcher.
Cicada3301, written in the Rust programming language, is capable of infecting both Windows and Linux/ESXi systems. It first appeared in June 2024, advertised on the RAMP underground forum to attract potential affiliates to its ransomware-as-a-service (RaaS) model.
One unique aspect of Cicada3301 is that the executable file embeds compromised user credentials, which are then used with PsExec, a legitimate tool that facilitates remote execution of programs.
Cicada3301 shares several characteristics with BlackCat, such as the use of the ChaCha20 encryption algorithm, the use of the fsutil command to manage symbolic links and encrypt redirected files, and the employment of IISReset.exe to stop IIS services and encrypt otherwise inaccessible files.
Other similarities include measures to delete shadow copies, disable system recovery by modifying the bcdedit utility, increase the MaxMpxCt value to handle higher traffic volumes (e.g., SMB PsExec requests), and clear all event logs using the wevtutil utility.
Cicada3301 also terminates locally deployed virtual machines (VMs), a tactic previously seen with Megazord and Yanluowang ransomware. Additionally, it shuts down backup and recovery services, terminating dozens of processes from a hard-coded list.
The ransomware maintains a list of excluded files and directories during the encryption process and targets 35 file types, including SQL, DOC, RTF, XLS, JPG, JPEG, PSD, DOCM, XLSM, ODS, PPSX, PNG, RAW, DOTX, XLTX, PPTX, PPSM, GIF, BMP, DOTM, XLTM, PPTM, ODP, WEBP, PDF, ODT, XLSB, PTOX, MDF, TIFF, DOCX, XLSX, XLAM, POTM, and TXT.
The investigation also revealed that Cicada3301 uses additional tools, such as EDRSandBlast, to exploit a vulnerable signed driver and bypass Endpoint Detection and Response (EDR) systems. This technique has been previously employed by the BlackByte ransomware group.
Further analysis indicates potential links between the Cicada3301 group and the operators of the Brutus botnet, which may have been used to gain initial access to enterprise networks.
Researchers suggest that whether Cicada3301 is a direct offshoot of ALPHV, a ransomware created by the same developers, or a copycat operation, there appears to be a timeline connecting the downfall of BlackCat, the emergence of the Brutus botnet, and the rise of Cicada3301.
Attacks on VMware ESXi systems involve using intermittent encryption for files larger than 100 MB and a parameter called “no_vm_ss” to encrypt files without shutting down active virtual machines.
The emergence of Cicada3301 also led to a statement from a separate “non-political movement” of the same name, clarifying that it has no connection to the ransomware operation.
To prevent infections from ransomware like Cicada3301, organizations should strengthen their cybersecurity defenses by regularly patching vulnerabilities, implementing robust backup strategies, and employing comprehensive Endpoint Detection and Response (EDR) solutions.
Additionally, training employees on identifying phishing attempts and securing remote access points can reduce the risk of initial access through social engineering or network weaknesses.