September 4, 2024 at 10:37AM
The Cicada3301 ransomware, linked to at least 20 victims since June, shares similarities with BlackCat ransomware. It’s coded in Rust and targets Windows’ Volume Snapshot Service, manipulating the shadow copies. The malware also embeds user credentials and customizes ransom notes per victim. Its detection capabilities and targets, primarily SMBs, are concerning.
Based on the meeting notes, here are some key takeaways:
1. The Cicada3301 ransomware shares similarities with the BlackCat ransomware, such as being coded in Rust and attempting to delete shadow copies to make ransomware recovery harder.
2. The ransomware has been observed customizing notes and encryption for each victim, including embedding compromised user credentials within the ransomware and executing the malware with valid credentials using a renamed Sysinternals remote management tool called psexec.
3. Recent samples of Cicada ransomware have shown an increase in size, obfuscation, and anti-detection capabilities, making it challenging for vendors to detect.
4. The ransomware has primarily targeted small to medium-sized businesses through opportunistic attacks that exploit vulnerabilities as the initial access vector.
5. The timing of Cicada3301’s debut coincides with the operators of BlackCat, and it may have been a strategic move to keep the criminal crew in business.
These clear takeaways provide a concise summary of the main points discussed in the meeting notes.