Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

The Cicada3301 ransomware, which has claimed at least 20 victims since it was spotted in June, shares "striking similarities" with the notorious BlackCat ransomware, according to security researchers at Israeli outfit endpoint security outfit Morphisec.

Morphisec’s threat intelligence team on Tuesday published an analysis of Cicada3301 that asserts it was coded in Rust – just like BlackCat.

Cicada shares other characteristics with BlackCat, including how it tries to delete shadow copies that Windows Server can create to create point-in-time replicas of useful files. Deleting those copies could make ransomware recovery harder. The malware manipulates Windows' Volume Snapshot Service (vssadmin) which helps to create the shadow copies, and then it calls on Windows Management Instrumentation (WMI). It also tampers with the "bcdedit" utility in an attempt to prevent victims from recovering encrypted systems.

Morphisec also spotted customizations such as embedding compromised user credentials within the ransomware, and then executing the malware with the valid credentials using a renamed Sysinternals remote management tool called psexec.

"While the ransomware notes and ransomware encryption have been customized per victim, compromised credentials integrated within a ransomware is a new level of customization," the researchers wrote in a report [PDF].

Like the puzzles

The ransomware is named after the three puzzles posted online between 2012 and 2014. The third remains unsolved, and the puzzles' creator(s) remain a mystery – just like the developers of the Cicada3301 ransomware.

Morphisec's technical analysis of the ransomware also includes indicators of compromise. That's especially useful, because the developers continue to improve the malware's anti-detection capabilities.

Two Cicada samples that have been active during the past two weeks show a static scanning of 0 on VirusTotal – meaning that no vendors have yet flagged the file as malicious – and 1, which was recently flagged by CrowdStrike Falcon.

A month-old sample shows 24 detections. Between August 4 and August 7 – during which various vendors' endpoint products began flagging the malware – the developers increased the size of the ransomware from about 7MB to 17MB, according to Morphisec CTO Michael Gorelik. He told The Register that this "may be one of the challenges" with detection.

Additionally, the mystery developers "moved from 64bit to 32bit, and changed some of the sections while introducing some additional obfuscation," Gorelik added.

"It seems that either they or someone else were uploading a lot of chunks from the old samples to test for detection. Possibly they were working during the past month on reduction of static detection, and it seems that this worked for them," he said.

Morphisec spotted the malware in one of its customers' environments last week after the ransomware bypassed an unnamed "leading" endpoint detection and response product. The researchers also uncovered the ransomware using EDRSandBlast – a tool that detects monitoring behavior by endpoint detection and response tools – that is often used to tamper with endpoint security products.

SMBs in the crosshairs

Since June 18, Cicada has infected at least 13 small- and medium-sized businesses, five mid-sized organizations, and three enterprises in North America and England, Gorelik wrote in a Tuesday post. Attackers who deployed the code sought payment in Bitcoin and Monero.

"With the limited visibility Morphisec researchers currently have, it appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," he observed.

• Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear
• RansomHub hits 210 victims in just 6 months
• Six ransomware gangs behind over 50% of 2024 attacks
• UnitedHealth CEO: 'Decision to pay ransom was mine'

Meanwhile, Truesec threat hunters previously noted that the first data dump on the group behind Cicada3301’s leak site is dated June 25. Four days later, the crew invited affiliates to join their ransomware-as-a-service platform.

The timing of Cicada3301’s debut is significant, given that the operators of BlackCat – an outfit known as ALPHV – are of great interest to investigators since the ransomware was infamously used to cripple US pharmacies and hospitals that use Change Healthcare's insurance and billing services earlier this year.

Before the Change Healthcare attack, in December 2023, an FBI-led operation seized ALPHV/BlackCat's websites and released a decryptor tool.

Then in March, after an affiliate locked up Change's IT systems, ALPHV pulled an exit scam shortly after the ransom was allegedly paid.

Upgrading BlackCat to Cicada3301 with better EDR evasion – and a rebrand – may have been a play to keep the criminal crew in business. ®