UPDATED 09:00 EST / SEPTEMBER 03 2024

SECURITY

New Morphisec report finds links between emerging Cicada3301 ransomware and BlackCat

A new report out today from endpoint security firm Morphisec Inc. details a recently discovered form of ransomware that may have links to the infamous BlackCat ransomware family.

Called Cicada3301, the new threat was identified in a Morphisec customer environment recently and was first reported around two months ago. Written in the Rust programming language and named after the Cicada puzzle, a complex, cyber-related problem-solving puzzle, who exactly is behind Cicada3301 remains, in the words of Morphisec’s researchers, “shrouded in mystery.”

The report does a deep dive into the technical details of the ransomware, including the executables used in its deployment. Additional tools being used by those behind the ransomware campaign were also uncovered, such as EDRSandBlast, which is used to tamper with endpoint detection and response tools. Cicada3301 was also found to primarily target small to medium-sized businesses through opportunistic attacks that exploit vulnerabilities as the initial access vector.

Ransomware is a dime a dozen, but considering where Cicada3301 comes from assists in understanding those behind it and how to protect against it. The main takeaway is that the ransomware shares several core characteristics with BlackCat.

BlackCat ransomware, also known as ALPHV, first emerged in late 2021 and quickly gained prominence for being its versatile ransomware strain. Written in the Rust programming language, like Cicada3301, BlackCat became infamous for its ability to evade traditional security measures by employing advanced techniques such as self-propagation, data exfiltration and multithreaded encryption processes. Notable BlackCat attacks include those against Seiko Group Corp., Reddit Inc. and MGM Resorts International Inc.

Cicada3301 was found to feature a well-defined configuration interface and registers as a vector exception handler — as BlackCat does — along with employing similar methods for shadow copy deletion and tampering. However, there are some key differences: Cicada3301 shows significant innovations, such as how it executes and integrates compromised credentials.

The report emphasizes the critical need for organizations to stay vigilant and proactive in their cybersecurity efforts, particularly as threats like Cicada3301 continue to evolve.

The ransomware’s approach, particularly in its integration of compromised credentials and use of advanced tools, is said to signal a new level of sophistication that echoes the tactics of BlackCat but pushes them further. As Morphisec’s researchers note, Cicada3301 is not just a reiteration of past threats but a clear indication that ransomware developers are constantly refining their methods to bypass existing defenses. Businesses, particularly small to medium-sized ones, must bolster their security measures and remain agile in responding to emerging threats such as Cicada3301.

Image: SiliconANGLE/Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU