September 3, 2024 at 09:54AM
Cicada3301, a new ransomware variant, targets small to medium-sized businesses through opportunistic attacks. Written in Rust, it targets Windows and Linux/ESXi hosts and uses techniques similar to the now-defunct BlackCat operation. It encrypts files, manipulates system recovery, and compromises EDR detection. Its emergence may be connected to the demise of BlackCat.
Based on the meeting notes, the key takeaways are:
– Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs) using opportunistic attacks that exploit vulnerabilities for initial access.
– It is written in Rust and capable of targeting both Windows and Linux/ESXi hosts.
– The ransomware embeds compromised user credentials and utilizes legitimate tools like PsExec for remote program execution.
– It shares similarities with the now-defunct BlackCat (ALPHV) operation, including the use of ChaCha20 encryption, fsutil, IISReset.exe, and other techniques.
– Cicada3301 also exhibits behavior similar to other ransomware groups, such as stopping locally deployed virtual machines and terminating backup and recovery services.
– It targets a total of 35 file extensions and uses additional tools like EDRSandBlast to bypass EDR detections.
– There are indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.
These takeaways provide a clear summary of the pertinent information discussed in the meeting notes.