The Alphv/BlackCat ransomware gang might have pulled an exit scam in early March, but the threat appears to have resurfaced in the form of Cicada3301, security researchers warn.
Written in Rust and showing multiple similarities with BlackCat, Cicada3301 has made over 30 victims since June 2024, mainly among small and medium-sized businesses (SMBs) in the healthcare, hospitality, manufacturing/industrial, and retail industries in North America and the UK.
According to a Morphisec report, several Cicada3301 core characteristics are reminiscent of BlackCat: “it features a well-defined parameter configuration interface, registers a vector exception handler, and employs similar methods for shadow copy deletion and tampering.”
The similarities between the two were observed by IBM X-Force as well, which notes that the two ransomware families were compiled using the same toolset, likely because the new ransomware-as-a-service (RaaS) group “has either seen the [BlackCat] code base or are using the same developers.”
IBM’s cybersecurity arm, which also observed infrastructure overlaps and similarities in tools used during attacks, also notes that Cicada3301 is relying on Remote Desktop Protocol (RDP) as an initial access vector, likely employing stolen credentials.
However, despite the numerous similarities, Cicada3301 is not a BlackCat clone, as it “embeds compromised user credentials within the ransomware itself”.
According to Group-IB, which has infiltrated Cicada3301’s control panel, there are only few major differences between the two: Cicada3301 has only six command line options, has no embedded configuration, has a different naming convention in the ransom note, and its encryptor requires entering the correct initial activation key to start.
“In contrast, where the access key is used to decrypt BlackCat’s configuration, the key entered on the command line in Cicada3301 is used to decrypt the ransom note,” Group-IB explains.
Designed to target multiple architectures and operating systems, Cicada3301 uses ChaCha20 and RSA encryption with configurable modes, shuts down virtual machines, terminates specific processes and services, deletes shadow copies, encrypts network shares, and increases overall effectiveness by running tens of simultaneous encryption threads.
The threat actor is aggressively marketing Cicada3301 to recruit affiliates for the RaaS, claiming a 20% cut of the ransom payments, and providing interested individuals with access to a web interface panel featuring news about the malware, victim management, chats, account information, and an FAQ section.
Like other ransomware families out there, Cicada3301 exfiltrates victims’ data before encrypting it, leveraging it for extortion purposes.
“Their operations are marked by aggressive tactics designed to maximize impact […]. The use of a sophisticated affiliate program amplifies their reach, enabling skilled cybercriminals to customize attacks and manage victims efficiently through a feature-rich web interface,” Group-IB notes.
Related: Healthcare Organizations Warned of Trinity Ransomware Attacks
Related: Changing Approaches to Preventing Ransomware Attacks
Related: Law Firm Campbell Conroy & O’Neil Discloses Ransomware Attack
Related: In Crosshairs of Ransomware Crooks, Cyber Insurers Struggle
