Threats

New ransomware variant has BlackCat-like similarities, report says

The new malware identified by Morphisec is named after an old internet mystery: Cicada3301.

September 3, 2024

The inspiration for the new ransomware's name. (Photo by Scott Olson/Getty Images)

A new ransomware variant that emerged two months ago names itself after a decade-old internet mystery known as Cicada 3301, according to new research from the cybersecurity firm Morphisec.

The Rust-based ransomware variant also bears significant resemblance to the BlackCat malware, also known as ALPHV, that has wreaked havoc due to the operators’ aggressive tactics.

Though the Cicada3301 variant was first spotted two months ago, Michael Gorelik, chief technology officer for Morphisec, said the cybersecurity firm stopped an attack from a customer last week and reversed the malware. It’s not yet clear who is behind the new variant.

“It’s very advanced ransomware. I would say that it is more advanced than the BlackCat, which is notorious,” Gorelik told CyberScoop.

Gorelik wouldn’t name the victim company, but said Cicada3301 is able to tamper with the endpoint detection of one of the biggest vendors. It’s likely that the initial access is mainly exploiting opportunistic vulnerabilities, the report notes. However, the ransomware also has several technical similarities to how the BlackCat variant encrypts its files, such as following symlinks for further encryption.

BlackCat operators are thought to have pulled an exit-scam recently and claimed that the source-code of the ransomware will be sold.

The Rust-based language is a rising trend among ransomware variants. Beyond BlackCat, Hive and RansomExx are also written in the language known for its increased performance and characteristics, which greatly reduces the likelihood of certain memory safe-based vulnerabilities.

Since early June, the leak site lists more than 20 victims, mainly in North America and England.

So far, the victims appear to be mainly small- to medium-sized businesses, with 13 in that category, another five mid-sized organizations and three enterprises, Morphisec said. Some of the victims include organizations that operate in the health care industry, but many of the victims are manufacturers.

Cicada3301 has published information claiming to be from four victims since its emergence.

Cicada3301 refers to an early 2010s internet-based scavenger hunt that featured messages and puzzles typically around cryptography and cybersecurity topics. The clues were typically accompanied by a Cicada logo, with the claim that the organization is searching for “highly intelligent individuals,” inviting conspiracies about everything from three-letter agencies to cult recruitment efforts.

Some media organizations have actually falsely accused the organization behind the viral online puzzle of being behind the ransomware attacks. In a statement released on September 1, Cicada 3301 Metaverse LLC distanced themselves from the digital extortionists saying they continue to be “falsely blamed” for the attacks.