Impress Computers is raising awareness about a newly identified ransomware variant called Cicada3301, which shares some alarming similarities with the notorious BlackCat (also known as ALPHV) ransomware operation.

 

Targeting Small to Medium-Sized Businesses

Cicada3301 appears to focus on small to medium-sized businesses (SMBs), exploiting vulnerabilities to gain initial access, according to a technical report by Morphisec shared with The Hacker News. This opportunistic approach highlights the need for SMBs to bolster their cybersecurity defenses, a service that Impress Computers is fully equipped to provide.

Cross-Platform Threat

Written in Rust, Cicada3301 is versatile, capable of attacking both Windows and Linux/ESXi systems. The ransomware was first observed in June 2024, with the group behind it seeking to recruit affiliates through advertisements on the RAMP underground forum. Such recruitment signals an intent to scale up their operations, making the threat even more pressing for businesses of all sizes.

Advanced Tactics and Techniques

One of the standout features of Cicada3301 is its use of compromised credentials, embedded within the ransomware executable. These credentials allow the malware to run PsExec, a legitimate tool used to execute programs remotely, further complicating detection and mitigation efforts.

Cicada3301 also shares several traits with BlackCat, including the use of the ChaCha20 encryption algorithm, and tactics like manipulating symbolic links and stopping IIS services to encrypt otherwise protected files. These sophisticated techniques underscore the importance of having robust cybersecurity measures in place, such as those offered by Impress Computers.

Comprehensive Disruption

The ransomware doesn’t stop at encryption. It also takes steps to delete shadow copies, disable system recovery, and increase the MaxMpxCt value to handle higher volumes of traffic, such as SMB PsExec requests. Additionally, it clears all event logs, a move designed to erase traces of the attack and hinder forensic investigations.

Cicada3301 also targets virtual machines, a tactic seen in other ransomware like Megazord and Yanluowang. By terminating various backup and recovery services, and stopping a hard-coded list of dozens of processes, Cicada3301 ensures maximum disruption.

Targeted File Extensions and Bypassing Security Measures

Cicada3301 is programmed to encrypt 35 specific file extensions, including critical business documents like SQL databases, Word documents, and Excel spreadsheets. Impress Computers recommends regular backups and encryption as proactive defenses against such targeted attacks.

The investigation by Morphisec also revealed the use of tools like EDRSandBlast, which exploits a vulnerable signed driver to bypass Endpoint Detection and Response (EDR) systems. This technique has been used by other ransomware groups, further complicating defense efforts.

Collaborations and Connections

There are also signs that the group behind Cicada3301 may be collaborating with the operators of the Brutus botnet to gain initial access to enterprise networks. This collaboration raises concerns about the potential scale and impact of future attacks.

“Whether Cicada3301 is a rebranding of ALPHV, developed by the same creator, or simply a copycat, the timeline suggests a possible connection between the demise of BlackCat, the rise of the Brutus botnet, and the emergence of Cicada3301,” Morphisec noted.

Threat to VMware ESXi Systems

Attacks against VMware ESXi systems by Cicada3301 include intermittent encryption for files larger than 100 MB and using a “no_vm_ss” parameter to encrypt files without shutting down running virtual machines. This capability poses a significant risk to businesses relying on virtual environments.

Public Response

Interestingly, the emergence of Cicada3301 has led to a statement from a “non-political movement” of the same name, which has engaged in cryptographic puzzles in the past, clarifying that they have no connection to the ransomware operation.

Conclusion

Impress Computers emphasizes the importance of being proactive in the face of such evolving threats. Businesses, particularly SMBs, should regularly update their cybersecurity protocols, ensure backups are up-to-date, and consider professional cybersecurity services to protect against sophisticated ransomware like Cicada3301.

For more information on how Impress Computers can help safeguard your business, contact us today.

Free For A Limited Time
We Want To Give You A Free Cyber-Security Risk Assessment That Gives You The Answers You Want And The Certainty You Need