New Ransomware Variant Cicada3301 Targets SMBs with Sophisticated Techniques
Cybersecurity researchers have recently unveiled a new strain of ransomware identified as Cicada3301, which bears resemblance to the now-defunct BlackCat operation (also known as ALPHV). This emerging ransomware poses a significant threat, particularly to small and medium-sized businesses (SMBs), according to a technical report released by Morphisec, a cybersecurity company. The report emphasizes that Cicada3301 appears to exploit vulnerabilities in its targets, facilitating opportunistic attacks as the primary means of gaining initial access.
Cicada3301 made its debut in June 2024 and was designed in Rust, demonstrating cross-platform capabilities by targeting both Windows and Linux/ESXi environments. The ransomware caught attention by advertising its ransomware-as-a-service (RaaS) model on the RAMP underground forum, inviting affiliates to join its operation. Notably, the executable file for Cicada3301 incorporates the compromised user’s credentials, allowing it to initiate remote executions via PsExec, a legitimate Windows tool.
Similar to BlackCat, Cicada3301 employs ChaCha20 for encryption. It also utilizes legitimate Windows commands and tools such as fsutil to assess symbolic links and encrypt redirected files, as well as IISReset.exe to halt IIS services, thereby accessing files that might otherwise be locked due to active processes. This sophisticated mechanism highlights the advanced strategies employed by attackers to compromise and manipulate their targets effectively.
Further probing into Cicada3301’s tactics reveals other parallels with BlackCat, including its methods for deleting shadow copies, disabling system recovery utilizing the bcdedit tool, and adjusting the MaxMpxCt value to handle higher traffic volumes associated with SMB PsExec requests. Additionally, the ransomware clears all event logs by leveraging the wevtutil utility, demonstrating an organized approach to obfuscating its activities.
Investigations by Morphisec also indicate that Cicada3301 has the capability to disrupt locally deployed virtual machines (VMs), a tactic previously associated with the Megazord and Yanluowang ransomware variants. The malware is programmed to terminate various backup and recovery processes using a hard-coded list of targeted processes, further complicating recovery efforts for affected organizations.
Cicada3301 specifically targets an extensive range of file extensions, encompassing 35 different types, which include common formats such as SQL, DOC, JPG, and PDF. This extensive targeting underscores the ransomware’s potential impact on various operational aspects of businesses, particularly as many of these file types are integral to daily operations and data management.
In addition to its advanced tactics, the analysis has revealed that Cicada3301 incorporates additional tools, such as EDRSandBlast, that exploit a vulnerable signed driver to evade endpoint detection and response (EDR) systems. This technique mirrors practices previously employed by the BlackByte ransomware group, indicating a possible evolution in ransomware strategies within the cybercriminal landscape.
While the malign influence of this ransomware is profound, it is essential to note connections to broader trends in the cybersecurity space. Truesec’s analysis highlights potential links between the emergence of Cicada3301 and the activities of the Brutus botnet, which may have facilitated initial access to enterprise networks. The evolving nature of these criminal operations suggests a continuous cycle of innovation and adaptation among threat actors.
In light of its emergence, Cicada3301 has also drawn unrelated attention from a "non-political movement" of the same name, associated with cryptographic puzzles. This group has publicly distanced itself from the ransomware, asserting no involvement in its malicious activities. Nonetheless, the association has generated discussion across various forums.
For business owners and cybersecurity professionals alike, the rise of Cicada3301 serves as a stark reminder of the persistent and evolving threats posed by ransomware. By understanding the tactics outlined in the MITRE ATT&CK framework—such as initial access and privilege escalation—organizations can bolster their defenses against these intricate cyber threats. The imperative to maintain robust security protocols and incident response plans is more critical than ever, as the landscape of cybercrime continues to shift and develop.
