Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
The emergence of a new group raises more and more questions about its origin.
Truesec experts spoke about the new cybercriminal group Cicada3301, which, working on the RaaS model, has already attacked 19 victims around the world and puzzled security researchers.
The name Cicada3301 is borrowed from the famous online game of 2012-2014, which was distinguished by complex cryptographic puzzles. However, the original project has nothing to do with the new cybercriminal group and categorically condemns its actions.
Cicada3301 cyberattacks were first recorded on June 6, although the official announcement of the start of the operation appeared only on June 29 on the RAMP forum. This indicates that the group acted independently before engaging partners.
Similar to other ransomware operations, Cicada3301 employs double-extortion tactics. First, attackers penetrate corporate networks, steal data, and then encrypt devices. Encryption keys and data leak threats are used as a means of pressuring victims into paying a ransom.
Truesec found significant similarities between Cicada3301 and ALPHV/BlackCat. Experts suggest that Cicada3301 may be a renamed version of ALPHV or a derivative of it created by former members of the group. Both ransomware are written in the Rust language, use the ChaCha20 algorithm for encryption, and apply the same commands to shut down virtual machines and delete images, as well as a common filename format with instructions on how to recover data.
Cicada3301 used compromised credentials for the initial attack, carried out through the ScreenConnect remote access program. Truesec also found that the IP address used for the attack is associated with the Brutus botnet, which has previously been seen in large-scale attacks on VPN devices such as Cisco, Fortinet, Palo Alto, and SonicWall. The timing of Brutus' activity coincides with the discontinuation of ALPHV, reinforcing speculation about a link between the two groups.
Cicada3301 pays special attention to the attack on VMware ESXi environments, which is confirmed by the analysis of the ransomware for Linux/VMware ESXi, which requires entering a special key to start the operation. The main function of the ransomware uses the ChaCha20 stream cipher to encrypt files and then encrypts the symmetric key using RSA. At the same time, attackers target files of certain extensions, using intermediate encryption for large files.
Cicada3301 also uses techniques that make it difficult to recover data after the attack. For example, a ransomware can encrypt VMware ESXi VMs without first shutting them down, making it difficult to recover from an attack.
It is possible that Cicada3301 is a rebirth of the BlackCat group or the result of their cooperation with the Brutus botnet to gain access to victims. Another version is also possible, according to which the ALPHV code was purchased and adapted by other cybercriminals, since at one time BlackCat announced the sale of the source code of its ransomware for $5 million.
All the facts point to Cicada3301 being operated by experienced cybercriminals who know their stuff. Their successful attacks on companies and the serious damage they cause to corporate networks indicate that this group poses a significant threat to business. Cicada3301's focus on VMware ESXi environments underscores their strategic approach to maximizing damage and reaping the benefits of the ransom.
Source
Truesec experts spoke about the new cybercriminal group Cicada3301, which, working on the RaaS model, has already attacked 19 victims around the world and puzzled security researchers.
The name Cicada3301 is borrowed from the famous online game of 2012-2014, which was distinguished by complex cryptographic puzzles. However, the original project has nothing to do with the new cybercriminal group and categorically condemns its actions.
Cicada3301 cyberattacks were first recorded on June 6, although the official announcement of the start of the operation appeared only on June 29 on the RAMP forum. This indicates that the group acted independently before engaging partners.
Similar to other ransomware operations, Cicada3301 employs double-extortion tactics. First, attackers penetrate corporate networks, steal data, and then encrypt devices. Encryption keys and data leak threats are used as a means of pressuring victims into paying a ransom.
Truesec found significant similarities between Cicada3301 and ALPHV/BlackCat. Experts suggest that Cicada3301 may be a renamed version of ALPHV or a derivative of it created by former members of the group. Both ransomware are written in the Rust language, use the ChaCha20 algorithm for encryption, and apply the same commands to shut down virtual machines and delete images, as well as a common filename format with instructions on how to recover data.
Cicada3301 used compromised credentials for the initial attack, carried out through the ScreenConnect remote access program. Truesec also found that the IP address used for the attack is associated with the Brutus botnet, which has previously been seen in large-scale attacks on VPN devices such as Cisco, Fortinet, Palo Alto, and SonicWall. The timing of Brutus' activity coincides with the discontinuation of ALPHV, reinforcing speculation about a link between the two groups.
Cicada3301 pays special attention to the attack on VMware ESXi environments, which is confirmed by the analysis of the ransomware for Linux/VMware ESXi, which requires entering a special key to start the operation. The main function of the ransomware uses the ChaCha20 stream cipher to encrypt files and then encrypts the symmetric key using RSA. At the same time, attackers target files of certain extensions, using intermediate encryption for large files.
Cicada3301 also uses techniques that make it difficult to recover data after the attack. For example, a ransomware can encrypt VMware ESXi VMs without first shutting them down, making it difficult to recover from an attack.
It is possible that Cicada3301 is a rebirth of the BlackCat group or the result of their cooperation with the Brutus botnet to gain access to victims. Another version is also possible, according to which the ALPHV code was purchased and adapted by other cybercriminals, since at one time BlackCat announced the sale of the source code of its ransomware for $5 million.
All the facts point to Cicada3301 being operated by experienced cybercriminals who know their stuff. Their successful attacks on companies and the serious damage they cause to corporate networks indicate that this group poses a significant threat to business. Cicada3301's focus on VMware ESXi environments underscores their strategic approach to maximizing damage and reaping the benefits of the ransom.
Source
