Analyses of the emerging Cicada3301 ransomware-as-a-service (RaaS) uncovered similarities to the defunct ALPHV/BlackCat ransomware strain, suggesting a potential rebrand of the notorious cybercrime gang.
But how similar is Cicada3301 to ALPHV/BlackCat, and are there other possible explanations for the resemblance?
An analysis of the Cicada3301 ESXi ransomware published by Truesec last Friday, and another covering the Windows variant published by Morphisec Tuesday, offer some insights into its relationship to ALPHV/BlackCat, as well as some unique aspects of the emerging RaaS.
Timeline of ALPHV/BlackCat’s fall, Cicado3301’s emergence
The downfall of ALPHV/BlackCat began with a temporary shuttering of its leak site in early December, followed by an announcement by the Federal Bureau of Investigation (FBI) on Dec. 19 that law enforcement disrupted the gang’s infrastructure and developed a decryption tool of the ALPHV/BlackCat strain.
However, ALPHV/BlackCat “unseized” its site mere hours later, threatening to target critical infrastructure in retaliation. The gang continued to claim victims throughout early 2024, culminating in the massive cyberattack on Change Healthcare in February.
After this attack, the ALPHV/BlackCat site went down again in early March, displaying an apparently fake FBI takedown notice. It is strongly suspected that the gang staged an exit scam, stealing a $22 million ransom paid by Change Healthcare parent company UnitedHealth Group from one of its own affiliates.
The data from the Change Healthcare breach was subsequently brought by the affiliate to a different RaaS gang, RansomHub, which reportedly put it up for sale.
The Cicada3301 leak site posted its first victim on June 25 and was observed advertising its RaaS platform on a cybercrime forum on June 29, according to Truesec.
In the interim between ALPHV/BlackCat’s disappearance and Cicada3301’s first appearance, on March 18, a botnet known as Brutus began conducting activities. Truesec researchers noted that Cicada3301 appears to be associated with Brutus due to it use of an IP address tied to the botnet.
“It is possible that all these events are related and that part of the BlackCat group has now rebranded themselves as Cicada3301 and teamed up with the Brutus botnet, or even started it themselves, as a means to gain access to potential victims, while they modified their ransomware into the new Cicada3301,” the Truesec report states. “The group could have also teamed up with the malware developer behind ALPHV. This individual appears to have worked for several different ransomware groups in the past.”
Morphisec’s report noted Cicada3301 has been actively targeting victims as recently as last week, as the security company obtained the Cicada3301 executable from an attack on one of its customers a week prior to the report’s publication.
Similarities between Cicada3301 and ALPHV/BlackCat
Both Truesec and Morphisec noted similarities between the two ransomware strains, which are both written in Rust and use ChaCha20 to encrypt victims’ files. Rust has become a popular programming language for ransomware actors due to its efficiency and cross-platform capabilities, Morphisec wrote.
Cicada3301 and ALPHV/BlackCat use many of the same commands to prevent detection and recovery. The Windows variants both use the iisreset utility to halt Internet Information Services (IIS), potentially preventing the victim from accessing the webserver and releasing locks to enable file encryption. They also both manipulate the vssadmin command-line tool and invoke Windows Management Instrumentation (WMI) to delete shadow copies, manipulate the bcdedit utility to disable system recovery and use wevtutil to clear all event logs, according to Morphisec.
Both ransomware types for Windows invoke fsutils to enable remote to local symbolic links and follow symbolic links to encrypt the redirected files. Additionally, both Cicada3301 and ALPHV/BlackCat change Server Message Block (SMB) protocol configurations to increase the Maximum Multiplex Count (MaxMpxCt) Value, enabling higher network traffic volumes.
While Cicada3301 and ALPHV/BlackCat both use the “net” utility to attempt to disable a predefined list of services, Morphisec notes that there are “slight differences” in the implementation of this tactic between the two strains.
For the Linux/ESXi variants, Truesec stated that Cicada3301 and ALPHV/BlackCat use “almost identical” commands to disable virtual machines (VMs) and delete VM snapshots. On the other hand, the Windows version of Cicada3301 uses Hyper-V commands to attempt to discover and disable local VMs, which is more similar to the behavior of other ransomware strains like Megazord and Yanluowang, according to Morphisec.
When targeting ESXi hosts, Cicada3301 and ALPHV/BlackCat both utilize -ui command parameters to provide a graphical output during encryption and possess a similar method of using the key parameter to decrypt their respective ransomware notes, Truesec noted.
Furthermore, for both Windows and Linux variants, Cicada3301 and ALPHV/BlackCat share a highly similar naming convention for their ransom notes, with Cicada3301 using RECOVER-[VictimID]-DATA.txt, while ALPHV/BlackCat used RECOVER-[VictimID]-FILES.txt.
How does Cicada3301 differ from ALPHV/BlackCat?
A few differences between Cicada3301 and ALPHV/BlackCat are noted in the reports; for example, the Cicada3301 ransomware is less sophisticated than ALPHV/BlackCat, according to Truesec.
Morphisec reports Cicada3301appears to opportunistically target small to medium-sized businesses, while ALPHV/BlackCat was known as a “big game hunter,” going after larger-sized organizations and seeking higher ransom payments.
One striking difference between Cicada3301 and ALPHV/BlackCat identified by Morphisec is Cicada3301’s integration of compromised credentials into the ransomware code, which Morphisec said it has never seen before in a ransomware strain. Cicada3301 uses these credentials to execute psexec, which is used to run applications remotely.
“While the ransomware notes and ransomware encryption have been customized per victim, compromised credentials integrated within a ransomware is a new level of customization,” the Morphisec researchers wrote.
Cicada3301 is named after a series of mysterious cryptography puzzles that appeared online in the early 2010s, although there appears to be no connection between the creator of the puzzles and the ransomware actor. No details about the operator of the Cicada3301 RaaS gang are currently available, but a rebrand of ALPHV/BlackCat is just one possibility.
Before its departure from the internet, ALPHV/BlackCat claimed to be selling its source code for $5 million, making it possible that the creator of Cicada3301 purchased and adapted the code for their own attacks.
“Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be connected,” Truesec researchers wrote. “More investigation is needed before we can say anything for certain, however.”
The emergence of Cicada3301 is not the first time ALPHV/BlackCat is rumored to have made a comeback. The Embargo ransomware operation is also said to use Rust code with similar structure and syntax to that of ALPHV/BlackCat, which, paired with a similar leak site design, has led to speculations about a rebrand.
Additionally, it is not uncommon for ransomware groups to copy other groups, either through similar branding or by utilizing leaked source code to create their own spinoffs. For example, the emergence of a ransomware group called DarkVault, which used similar branding to LockBit, led to some speculation about connections between the two gangs. Several groups have also utilized variants of LockBit ransomware since the LockBit 3.0 builder was leaked in 2022.