Threat Research

Threat Assessment: Scorpius Repellent and Cicada3301 Ransomware Distributors

Unit42

Repellent Scorpius is a newly emerged ransomware-as-a-service (RaaS) group distributing Cicada3301 ransomware, first identified in May 2024. The group uses a double extortion model, encrypting data and threatening to publish it if the ransom isn’t paid. #RepellentScorpius #Cicada3301 #InitialAccessBroker #PsExec #Rclone #KrakenLabs

Keypoints

  • Repellent Scorpius is a new ransomware group distributing Cicada3301 ransomware.
  • They emerged in May 2024 and have established an affiliate program to recruit partners.
  • The group uses a double extortion approach: encrypting data and threatening to leak it.
  • Initial access is achieved through stolen credentials, likely purchased from initial access brokers (IAB).
  • Lateral movement uses PsExec for propagation and Rclone for data exfiltration, with a batch-based execution flow.
  • The ransomware is a 64-bit Rust binary using ChaCha20 for encryption, with a new encryptor variant and updated behaviors.
  • Unit 42 anticipates increased Cicada3301 activity and notes possible access to previously compromised data.

MITRE Techniques

  • [T1078] Valid Accounts – “Stolen credentials were likely purchased from an Initial Access Broker (IAB).” – ‘Stolen credentials were likely purchased from an Initial Access Broker (IAB).’
  • [T1059.003] Windows Command Shell – “Batch script (1.bat) used to execute the ransomware payload.” – ‘Batch script (1.bat) used to execute the ransomware payload against multiple hosts within the client network.’
  • [T1021] Lateral Movement – “PsExec used to execute ransomware across multiple hosts.” – ‘PsExec used to execute ransomware across multiple hosts.’
  • [T1083] File and Directory Discovery – “File share enumeration results stored in C:ProgramDatafound_shares.txt.” – ‘File share enumeration results stored in C:ProgramDatafound_shares.txt.’
  • [T1041] Exfiltration – “Rclone used for exfiltration of stolen data.” – ‘Rclone used for exfiltration of stolen data.’
  • [T1486] Data Encrypted for Impact – “Ransomware encrypts files and demands ransom for decryption.” – ‘Ransomware encrypts files and demands ransom for decryption.’

Indicators of Compromise

  • [Hash] Cicada3301 encryptor hashes – 8ec114b29c7f2406809337b6c68ab30b0b7f0d1647829d56125e84662b84ea74, 0260258f6f083aff71c7549a6364cb05d54dd27f40ca1145e064353dd2a9e983, and 3 more hashes
  • [File] 1.bat – Batch script containing multiple Cicada3301 encryptor execution commands
  • [File] locker.exe – Ransomware encryptor binary
  • [File] psexec0.exe – Embedded PsExec binary used for lateral execution
  • [File] found_shares.txt – Created during file share enumeration
  • [File] RECOVER–DATA.txt – Ransom note file
  • [IP] 103.42.240.37 – RDP server IP associated with the initial access activity
  • [IP] 91.238.181.238 – Public IP used for exfiltration, previously flagged for malicious activity
  • [Domain] cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/ – Onion-based infrastructure / leak site

Read more: https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint