Analyses of the rising Cicada3301 ransomware-as-a-service (RaaS) uncovered similarities to the defunct ALPHV/BlackCat ransomware pressure, suggesting a possible rebrand of the infamous cybercrime gang.
However how related is Cicada3301 to ALPHV/BlackCat, and are there different doable explanations for the resemblance?
An evaluation of the Cicada3301 ESXi ransomware revealed by Truesec final Friday, and one other overlaying the Home windows variant revealed by Morphisec Tuesday, supply some insights into its relationship to ALPHV/BlackCat, in addition to some distinctive elements of the rising RaaS.
Timeline of ALPHV/BlackCat’s fall, Cicado3301’s emergence
The downfall of ALPHV/BlackCat started with a short lived shuttering of its leak website in early December, adopted by an announcement by the Federal Bureau of Investigation (FBI) on Dec. 19 that legislation enforcement disrupted the gang’s infrastructure and developed a decryption software of the ALPHV/BlackCat pressure.
Nevertheless, ALPHV/BlackCat “unseized” its website mere hours later, threatening to focus on crucial infrastructure in retaliation. The gang continued to say victims all through early 2024, culminating within the huge cyberattack on Change Healthcare in February.
After this assault, the ALPHV/BlackCat website went down once more in early March, displaying an apparently pretend FBI takedown discover. It’s strongly suspected that the gang staged an exit rip-off, stealing a $22 million ransom paid by Change Healthcare father or mother firm UnitedHealth Group from one in all its personal associates.
The info from the Change Healthcare breach was subsequently introduced by the affiliate to a distinct RaaS gang, RansomHub, which reportedly put it up on the market.
The Cicada3301 leak website posted its first sufferer on June 25 and was noticed promoting its RaaS platform on a cybercrime discussion board on June 29, based on Truesec.
Within the interim between ALPHV/BlackCat’s disappearance and Cicada3301’s first look, on March 18, a botnet referred to as Brutus started conducting actions. Truesec researchers famous that Cicada3301 seems to be related to Brutus resulting from it use of an IP tackle tied to the botnet.
“It’s doable that each one these occasions are associated and that a part of the BlackCat group has now rebranded themselves as Cicada3301 and teamed up with the Brutus botnet, and even began it themselves, as a way to achieve entry to potential victims, whereas they modified their ransomware into the brand new Cicada3301,” the Truesec report states. “The group may have additionally teamed up with the malware developer behind ALPHV. This particular person seems to have labored for a number of totally different ransomware teams up to now.”
Morphisec’s report famous Cicada3301 has been actively focusing on victims as lately as final week, because the safety firm obtained the Cicada3301 executable from an assault on one in all its prospects every week previous to the report’s publication.
Similarities between Cicada3301 and ALPHV/BlackCat
Each Truesec and Morphisec famous similarities between the 2 ransomware strains, that are each written in Rust and use ChaCha20 to encrypt victims’ recordsdata. Rust has turn into a well-liked programming language for ransomware actors resulting from its effectivity and cross-platform capabilities, Morphisec wrote.
Cicada3301 and ALPHV/BlackCat use lots of the identical instructions to forestall detection and restoration. The Home windows variants each use the iisreset utility to halt Web Info Providers (IIS), probably stopping the sufferer from accessing the webserver and releasing locks to allow file encryption. In addition they each manipulate the vssadmin command-line software and invoke Home windows Administration Instrumentation (WMI) to delete shadow copies, manipulate the bcdedit utility to disable system restoration and use wevtutil to clear all occasion logs, based on Morphisec.
Each ransomware sorts for Home windows invoke fsutils to allow distant to native symbolic hyperlinks and comply with symbolic hyperlinks to encrypt the redirected recordsdata. Moreover, each Cicada3301 and ALPHV/BlackCat change Server Message Block (SMB) protocol configurations to extend the Most Multiplex Depend (MaxMpxCt) Worth, enabling greater community visitors volumes.
Whereas Cicada3301 and ALPHV/BlackCat each use the “internet” utility to try to disable a predefined listing of companies, Morphisec notes that there are “slight variations” within the implementation of this tactic between the 2 strains.
For the Linux/ESXi variants, Truesec said that Cicada3301 and ALPHV/BlackCat use “virtually equivalent” instructions to disable digital machines (VMs) and delete VM snapshots. Alternatively, the Home windows model of Cicada3301 makes use of Hyper-V instructions to try to find and disable native VMs, which is extra much like the conduct of different ransomware strains like Megazord and Yanluowang, based on Morphisec.
When focusing on ESXi hosts, Cicada3301 and ALPHV/BlackCat each make the most of -ui command parameters to offer a graphical output throughout encryption and possess an identical methodology of utilizing the important thing parameter to decrypt their respective ransomware notes, Truesec famous.
Moreover, for each Home windows and Linux variants, Cicada3301 and ALPHV/BlackCat share a extremely related naming conference for his or her ransom notes, with Cicada3301 utilizing RECOVER-[VictimID]-DATA.txt, whereas ALPHV/BlackCat used RECOVER-[VictimID]-FILES.txt.
How does Cicada3301 differ from ALPHV/BlackCat?
Just a few variations between Cicada3301 and ALPHV/BlackCat are famous within the reviews; for instance, the Cicada3301 ransomware is much less refined than ALPHV/BlackCat, based on Truesec.
Morphisec reviews Cicada3301appears to opportunistically goal small to medium-sized companies, whereas ALPHV/BlackCat was referred to as a “massive sport hunter,” going after larger-sized organizations and looking for greater ransom funds.
One placing distinction between Cicada3301 and ALPHV/BlackCat recognized by Morphisec is Cicada3301’s integration of compromised credentials into the ransomware code, which Morphisec stated it has by no means seen earlier than in a ransomware pressure. Cicada3301 makes use of these credentials to execute psexec, which is used to run functions remotely.
“Whereas the ransomware notes and ransomware encryption have been personalized per sufferer, compromised credentials built-in inside a ransomware is a brand new degree of customization,” the Morphisec researchers wrote.
Cicada3301 is called after a collection of mysterious cryptography puzzles that appeared on-line within the early 2010s, though there seems to be no connection between the creator of the puzzles and the ransomware actor. No particulars concerning the operator of the Cicada3301 RaaS gang are presently out there, however a rebrand of ALPHV/BlackCat is only one risk.
Earlier than its departure from the web, ALPHV/BlackCat claimed to be promoting its supply code for $5 million, making it doable that the creator of Cicada3301 bought and tailored the code for their very own assaults.
“No matter whether or not Cicada3301 is a rebrand of ALPHV, they’ve a ransomware written by the identical developer as ALPHV, or they’ve simply copied components of ALPHV to make their very own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet after which the Cicada3301 ransomware operation might presumably be related,” Truesec researchers wrote. “Extra investigation is required earlier than we are able to say something for sure, nonetheless.”
The emergence of Cicada3301 shouldn’t be the primary time ALPHV/BlackCat is rumored to have made a comeback. The Embargo ransomware operation can be stated to make use of Rust code with related construction and syntax to that of ALPHV/BlackCat, which, paired with an identical leak website design, has led to speculations a couple of rebrand.
Moreover, it’s not unusual for ransomware teams to repeat different teams, both via related branding or by using leaked supply code to create their very own spinoffs. For instance, the emergence of a ransomware group known as DarkVault, which used related branding to LockBit, led to some hypothesis about connections between the 2 gangs. A number of teams have additionally utilized variants of LockBit ransomware for the reason that LockBit 3.0 builder was leaked in 2022.
