Cicada3301 is a new ransomware variant that has emerged as a potential successor to the now-defunct BlackCat (ALPHV) operation.
- The ransomware targets small to medium-sized businesses (SMBs), likely through opportunistic attacks exploiting vulnerabilities for initial access.
- First observed in June 2024, Cicada3301 was promoted via an advertisement on the RAMP underground forum as a ransomware-as-a-service (RaaS) platform, inviting affiliates to join.
- Targeted File Types:
- Cicada3301 specifically targets 35 file extensions for encryption, including common document, spreadsheet, image, and text files: sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
- Maintains a built-in list of excluded files and directories during the encryption process.
- Additional Tools and Techniques:
- Uses tools like EDRSandBlast, which weaponizes a vulnerable signed driver to bypass endpoint detection and response (EDR) systems—a technique previously adopted by the BlackByte ransomware group.
- The VMware ESXi version of the ransomware employs intermittent encryption for files larger than 100 MB and a parameter called “no_vm_ss” to encrypt files without shutting down VMs.
- Connections to Other Malware Operations:
- Cicada3301 may be linked to the Brutus botnet to gain initial access to enterprise networks.
- The timeline suggests a possible connection between the demise of BlackCat (ALPHV) and the rise of Cicada3301, potentially indicating a rebranding or copying of techniques.
- Related Non-Political Movement:
- A group known for cryptographic puzzles under the same name, Cicada3301, has publicly stated it has no connection to the ransomware operation.