Cicada3301: A New Ransomware-as-a-Service Operation

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Malware Analysis and Similarities with ALPHV/BlackCat

An analysis by Truesec revealed significant overlaps between Cicada3301 and ALPHV/BlackCat, suggesting a possible rebrand or a fork created by former ALPHV core team members. Key similarities include:

• Both are written in Rust.
• Both use the ChaCha20 algorithm for encryption.
• Both employ identical VM shutdown and snapshot-wiping commands.
• Both share the same user interface command parameters, file naming conventions, and ransom note decryption methods.
• Both use intermittent encryption on larger files.

ALPHV performed an exit scam in early March 2024, stealing $22 million from Change Healthcare and claiming a fake FBI takedown.

Initial Access via Brutus Botnet

Truesec’s investigation suggests that Cicada3301 may partner with or utilize the Brutus botnet for initial access to corporate networks. The Brutus botnet, associated with global VPN brute-forcing activities targeting Cisco, Fortinet, Palo Alto, and SonicWall appliances, first appeared two weeks after ALPHV shut down, aligning the timelines of both groups.

VMware ESXi Targeting

Cicada3301 operates both Windows and Linux/VMware ESXi encryptors. The VMWare ESXi Linux encryptor, analyzed by Truesec, uses a special key entered as a command line argument to launch the encryptor. This key decrypts a JSON blob containing the configuration for encrypting a device.

The main function, linux_enc, uses the ChaCha20 stream cipher for file encryption, with the symmetric key encrypted using an RSA key. The encryption keys are generated randomly using the ‘OsRng’ function.

Specific File Targeting and Encryption Methods

Cicada3301 targets specific file extensions matching documents and media files, applying intermittent encryption for files larger than 100MB and encrypting entire contents for smaller files. The encryptor appends a random seven-character extension to the file name and creates ransom notes named ‘RECOVER-[extension]-DATA.txt,’ similar to BlackCat/ALPHV encryptors.

Cicada3301 ransom note
Source: BleepingComputer

Advanced Tactics

The ransomware includes parameters such as:

• sleep: Delays the encryptor’s execution to evade detection.
• no_vm_ss: Encrypts VMware ESXi virtual machines without shutting them down first.

By default, Cicada3301 uses ESXi’s esxcli and vim-cmd commands to shut down virtual machines and delete snapshots before encryption.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link