A new report out today from endpoint security firm Morphisec Inc. details a recently discovered form of ransomware that may have links to the infamous BlackCat ransomware family.
Called Cicada3301, the new threat was identified in a Morphisec customer environment recently and was first reported around two months ago. Written in the Rust programming language and named after the Cicada puzzle, a complex, cyber-related problem-solving puzzle, who exactly is behind Cicada3301 remains, in the words of Morphisec’s researchers, “shrouded in mystery.”
The report does a deep dive into the technical details of the ransomware, including the executables used in its deployment. Additional tools being used by those behind the ransomware campaign were also uncovered, such as EDRSandBlast, which is used to tamper with endpoint detection and response tools. Cicada3301 was also found to primarily target small to medium-sized businesses through opportunistic attacks that exploit vulnerabilities as the initial access vector.
Ransomware is a dime a dozen, but considering where Cicada3301 comes from assists in understanding those behind it and how to protect against it. The main takeaway is that the ransomware shares several core characteristics with BlackCat.
BlackCat ransomware, also known as ALPHV, first emerged in late 2021 and quickly gained prominence for being its versatile ransomware strain. Written in the Rust programming language, like Cicada3301, BlackCat became infamous for its ability to evade traditional security measures by employing advanced techniques such as self-propagation, data exfiltration and multithreaded encryption processes. Notable BlackCat attacks include those against Seiko Group Corp., Reddit Inc. and MGM Resorts International Inc.
Cicada3301 was found to feature a well-defined configuration interface and registers as a vector exception handler — as BlackCat does — along with employing similar methods for shadow copy deletion and tampering. However, there are some key differences: Cicada3301 shows significant innovations, such as how it executes and integrates compromised credentials.
The report emphasizes the critical need for organizations to stay vigilant and proactive in their cybersecurity efforts, particularly as threats like Cicada3301 continue to evolve.
The ransomware’s approach, particularly in its integration of compromised credentials and use of advanced tools, is said to signal a new level of sophistication that echoes the tactics of BlackCat but pushes them further. As Morphisec’s researchers note, Cicada3301 is not just a reiteration of past threats but a clear indication that ransomware developers are constantly refining their methods to bypass existing defenses. Businesses, particularly small to medium-sized ones, must bolster their security measures and remain agile in responding to emerging threats such as Cicada3301.