Cicada 3301 Ransomware

Cybersecurity experts have analyzed a new ransomware variant named the Cicada 3301, which shares traits with the now-discontinued BlackCat (also known as ALPHV) operation. The Cicada 3301 primarily targets small to medium-sized businesses (SMBs), leveraging vulnerabilities as its initial access point through opportunistic attacks.

Developed in Rust, this ransomware is designed to infect both Windows and Linux/ESXi systems. It was first spotted in June 2024, when it began recruiting affiliates for its Ransomware-as-a-Service (RaaS) platform through a post on the RAMP underground forum. One of the ransomware's distinguishing features is its embedding of compromised user credentials within the executable, which are later used to execute PsExec, a legitimate tool that enables remote program execution.

The Cicada 3301 uses the ChaCha20 cryptographic algorithm, a form of symmetric encryption, to lock files. Encrypted files have their names altered with a randomly generated seven-character extension. For example, a file originally named '1.doc' is transformed into '1.doc.f11a46a1.' Once encryption is done, the ransomware leaves a ransom note in a text file named 'RESTORE-[file_extension]-DATA.txt.'

The Demands of the Attackers behind the Cicada 3301 Ransomware

The ransom note left by the Cicada 3301 makes it clear that the ransomware is designed to target businesses. It informs the victim that their network has been compromised, files encrypted, and backups erased. Additionally, it warns that a significant amount of sensitive data has been stolen from the network.

The attackers demand payment for the decryption tool and for the deletion of the exfiltrated data. If these demands are not met, they threaten to leak the stolen information and notify regulatory authorities, as well as the victim's customers, partners and competitors.

As a demonstration that file recovery is possible, the hackers propose to decrypt one file for free. The note also cautions against attempting to decrypt or alter the encrypted files, as doing so could lead to permanent data loss.

Similarities with Previous Ransomware Threats

The Cicada3301 shares several tactics with BlackCat, including the use of ChaCha20 encryption, the sutil command to assess symbolic links and encrypt redirected files, and IISReset.exe to halt IIS services and encrypt files that might otherwise be locked from modification or deletion.

Additional similarities to BlackCat include actions to remove shadow copies, disable system recovery by modifying the bcdedit utility, increase the MaxMpxCt value to handle larger traffic volumes (such as SMB PsExec requests), and wipe all event logs using the wevtutil utility.

The Cicada 3301 Ransomware Targets 35 Different Filetypes

The Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord Ransomware and the Yanluowang Ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Researchers have also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a practice also adopted by the BlackByte Ransomware group in the past.

The ransom note generated by the Cicada 3301 Ransomware reads:

'*** Welcome to Cicada3301 ***

** What Happened? **

Your computers and servers are encrypted, your backups are deleted.
We use strong encryption algorithms, so you won't be able to decrypt your data.
You can recover everything by purchasing a special data recovery program from us.
This program will restore your entire network.

** Data Leak **

We have downloaded more than 1500 GB of your company data.
Contact us, or we will be forced to publish all your data on the Internet
and send it to all regulatory authorities in your country, as well as to your customers, partners, and competitors.

We are ready to:

Provide you with proof that the data has been stolen;

Delete all stolen data;

Help you rebuild your infrastructure and prevent similar attacks in the future;

** What Guarantees? **

Our reputation is of paramount importance to us.
Failure to fulfill our obligations means not working with you, which is against our interests.
Rest assured, our decryption tools have been thoroughly tested and are guaranteed to unlock your data.
Should any problems arise, we are here to support you. As a goodwill gesture,
we are willing to decrypt one file for free.

** How to Contact us? **

Using TOR Browser:
1) You can download and install the TOR browser from this site: hxxps://torproject.org/
2) Open our website:

WARNING: DO NOT MODIFY or attempt to restore any files on your own. This can lead to their permanent loss.'