Threat Research

Cicada 3301: A Technical Analysis of Ransomware-as-a-Service

Securonix

Cicada3301 operates as a ransomware-as-a-service platform with a double extortion model, offering both ransomware and a data leak site for affiliates. Their Rust-based ransomware targets Windows and ESXi, shows notable ALPHV similarities, and appears connected to the Brutus botnet for initial access.
#Cicada3301 #ALPHV #BrutusBotnet #ESXi #Rust #ChaCha20 #Ramp

Keypoints

  • Cicada3301 operates as a ransomware-as-a-service group with a double extortion model.
  • The group uses ransomware written in Rust, targeting both Windows and ESXi systems.
  • Initial access is gained through valid credentials, potentially tied to the Brutus botnet.
  • There are significant similarities between Cicada3301 and the ALPHV ransomware.
  • The group has published an invitation for affiliates on a cybercrime forum Ramp.
  • Technical analysis reveals ChaCha20 for encryption and specific VM-management commands, plus a UI for encryption progress.
  • Ransomware features include a sleep parameter and a note-encryption workflow using RSA-encrypted ChaCha20 keys and file-extension flags.

MITRE Techniques

  • [T1078] Valid Accounts – Initial access via stolen or brute-forced credentials to log in using ScreenConnect. Quote: ‘Valid Accounts’
  • [T1203] Exploitation for Client Execution – Exploitation used to initiate ransomware execution on target clients. Quote: ‘Exploitation for Client Execution’
  • [T1547] Boot or Logon Autostart Execution – Persistence via startup execution on boot/logon. Quote: ‘Boot or Logon Autostart Execution’
  • [T1068] Exploitation of Vulnerability – Privilege escalation through vulnerability exploitation. Quote: ‘Exploitation of Vulnerability’
  • [T1027] Obfuscated Files or Information – Defense evasion by obfuscation/packing. Quote: ‘Obfuscated Files or Information’
  • [T1003] Credential Dumping – Credential access through dumping credentials. Quote: ‘Credential Dumping’
  • [T1083] File and Directory Discovery – Discovery of files and directories on systems. Quote: ‘File and Directory Discovery’
  • [T1486] Data Encrypted for Impact – Data encryption to disrupt availability and confidentiality. Quote: ‘Data Encrypted for Impact’

Indicators of Compromise

  • [IP] Initial login IP – 91.92.249.203 – used by threat actor and tied to Brutus botnet for ScreenConnect access
  • [File] Ransomware note filenames – RECOVER–FILES.txt, RECOVER–DATA.txt

Read more: https://www.truesec.com/hub/blog/dissecting-the-cicada

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint