Cicada3301 ransomware: How related is it to ALPHV/BlackCat? – Model Slux

Analyses of the rising Cicada3301 ransomware-as-a-service (RaaS) uncovered similarities to the defunct ALPHV/BlackCat ransomware pressure, suggesting a possible rebrand of the infamous cybercrime gang.

However how related is Cicada3301 to ALPHV/BlackCat, and are there different potential explanations for the resemblance?

An evaluation of the Cicada3301 ESXi ransomware revealed by Truesec final Friday, and one other masking the Home windows variant revealed by Morphisec Tuesday, provide some insights into its relationship to ALPHV/BlackCat, in addition to some distinctive features of the rising RaaS.

Timeline of ALPHV/BlackCat’s fall, Cicado3301’s emergence

The downfall of ALPHV/BlackCat started with a brief shuttering of its leak web site in early December, adopted by an announcement by the Federal Bureau of Investigation (FBI) on Dec. 19 that regulation enforcement disrupted the gang’s infrastructure and developed a decryption instrument of the ALPHV/BlackCat pressure.

Nonetheless, ALPHV/BlackCat “unseized” its web site mere hours later, threatening to focus on essential infrastructure in retaliation. The gang continued to assert victims all through early 2024, culminating within the huge cyberattack on Change Healthcare in February.

After this assault, the ALPHV/BlackCat web site went down once more in early March, displaying an apparently pretend FBI takedown discover. It’s strongly suspected that the gang staged an exit rip-off, stealing a $22 million ransom paid by Change Healthcare mum or dad firm UnitedHealth Group from one in every of its personal associates.

The information from the Change Healthcare breach was subsequently introduced by the affiliate to a special RaaS gang, RansomHub, which reportedly put it up on the market.

The Cicada3301 leak web site posted its first sufferer on June 25 and was noticed promoting its RaaS platform on a cybercrime discussion board on June 29, in accordance with Truesec.

Within the interim between ALPHV/BlackCat’s disappearance and Cicada3301’s first look, on March 18, a botnet referred to as Brutus started conducting actions. Truesec researchers famous that Cicada3301 seems to be related to Brutus resulting from it use of an IP tackle tied to the botnet.

“It’s potential that each one these occasions are associated and that a part of the BlackCat group has now rebranded themselves as Cicada3301 and teamed up with the Brutus botnet, and even began it themselves, as a method to achieve entry to potential victims, whereas they modified their ransomware into the brand new Cicada3301,” the Truesec report states. “The group might have additionally teamed up with the malware developer behind ALPHV. This particular person seems to have labored for a number of totally different ransomware teams up to now.”

Morphisec’s report famous Cicada3301 has been actively concentrating on victims as just lately as final week, because the safety firm obtained the Cicada3301 executable from an assault on one in every of its prospects every week previous to the report’s publication.

Similarities between Cicada3301 and ALPHV/BlackCat

Each Truesec and Morphisec famous similarities between the 2 ransomware strains, that are each written in Rust and use ChaCha20 to encrypt victims’ recordsdata. Rust has change into a preferred programming language for ransomware actors resulting from its effectivity and cross-platform capabilities, Morphisec wrote.

Cicada3301 and ALPHV/BlackCat use lots of the similar instructions to forestall detection and restoration. The Home windows variants each use the iisreset utility to halt Web Data Companies (IIS), doubtlessly stopping the sufferer from accessing the webserver and releasing locks to allow file encryption. In addition they each manipulate the vssadmin command-line instrument and invoke Home windows Administration Instrumentation (WMI) to delete shadow copies, manipulate the bcdedit utility to disable system restoration and use wevtutil to clear all occasion logs, in accordance with Morphisec.

Each ransomware varieties for Home windows invoke fsutils to allow distant to native symbolic hyperlinks and comply with symbolic hyperlinks to encrypt the redirected recordsdata. Moreover, each Cicada3301 and ALPHV/BlackCat change Server Message Block (SMB) protocol configurations to extend the Most Multiplex Depend (MaxMpxCt) Worth, enabling increased community visitors volumes.  

Whereas Cicada3301 and ALPHV/BlackCat each use the “internet” utility to aim to disable a predefined checklist of companies, Morphisec notes that there are “slight variations” within the implementation of this tactic between the 2 strains.

For the Linux/ESXi variants, Truesec acknowledged that Cicada3301 and ALPHV/BlackCat use “virtually similar” instructions to disable digital machines (VMs) and delete VM snapshots. However, the Home windows model of Cicada3301 makes use of Hyper-V instructions to aim to find and disable native VMs, which is extra much like the habits of different ransomware strains like Megazord and Yanluowang, in accordance with Morphisec.

When concentrating on ESXi hosts, Cicada3301 and ALPHV/BlackCat each make the most of -ui command parameters to supply a graphical output throughout encryption and possess the same methodology of utilizing the important thing parameter to decrypt their respective ransomware notes, Truesec famous.

Moreover, for each Home windows and Linux variants, Cicada3301 and ALPHV/BlackCat share a extremely related naming conference for his or her ransom notes, with Cicada3301 utilizing RECOVER-[VictimID]-DATA.txt, whereas ALPHV/BlackCat used RECOVER-[VictimID]-FILES.txt.

How does Cicada3301 differ from ALPHV/BlackCat?

A couple of variations between Cicada3301 and ALPHV/BlackCat are famous within the stories; for instance, the Cicada3301 ransomware is much less subtle than ALPHV/BlackCat, in accordance with Truesec.  

Morphisec stories Cicada3301appears to opportunistically goal small to medium-sized companies, whereas ALPHV/BlackCat was referred to as a “large recreation hunter,” going after larger-sized organizations and searching for increased ransom funds.

One putting distinction between Cicada3301 and ALPHV/BlackCat recognized by Morphisec is Cicada3301’s integration of compromised credentials into the ransomware code, which Morphisec mentioned it has by no means seen earlier than in a ransomware pressure. Cicada3301 makes use of these credentials to execute psexec, which is used to run functions remotely.

“Whereas the ransomware notes and ransomware encryption have been custom-made per sufferer, compromised credentials built-in inside a ransomware is a brand new degree of customization,” the Morphisec researchers wrote.

Cicada3301 is called after a sequence of mysterious cryptography puzzles that appeared on-line within the early 2010s, though there seems to be no connection between the creator of the puzzles and the ransomware actor. No particulars in regards to the operator of the Cicada3301 RaaS gang are at the moment obtainable, however a rebrand of ALPHV/BlackCat is only one risk.

Earlier than its departure from the web, ALPHV/BlackCat claimed to be promoting its supply code for $5 million, making it potential that the creator of Cicada3301 bought and tailored the code for their very own assaults.  

“No matter whether or not Cicada3301 is a rebrand of ALPHV, they’ve a ransomware written by the identical developer as ALPHV, or they’ve simply copied elements of ALPHV to make their very own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation could presumably be related,” Truesec researchers wrote. “Extra investigation is required earlier than we are able to say something for sure, nevertheless.”

The emergence of Cicada3301 shouldn’t be the primary time ALPHV/BlackCat is rumored to have made a comeback. The Embargo ransomware operation can be mentioned to make use of Rust code with related construction and syntax to that of ALPHV/BlackCat, which, paired with the same leak web site design, has led to speculations a few rebrand.

Moreover, it’s not unusual for ransomware teams to repeat different teams, both via related branding or by using leaked supply code to create their very own spinoffs. For instance, the emergence of a ransomware group known as DarkVault, which used related branding to LockBit, led to some hypothesis about connections between the 2 gangs. A number of teams have additionally utilized variants of LockBit ransomware because the LockBit 3.0 builder was leaked in 2022.

Leave a Comment

x