BlackCat Spin-off 'Cicada3301' Uses Stolen Creds on the Fly, Skirts EDR

One of the most popular ransomware tools on the market today has spawned an even more advanced offspring.

"Cicada3301," named after the infamous 4chan puzzle project from the early 2010s, is a Rust-based ransomware tool that first came onto the scene on June 18. In the two and a half months since, according to its leak site, it has been used to compromise 21 companies. Three have been large enterprises, five midsize businesses, and the majority have been small businesses. Industries vary — healthcare, manufacturing, retail, hospitality, etc. — though all have been concentrated in Europe and North America.

This ransomware operation isn't enigmatic and innocent like its namesake was. Instead, it much more closely resembles the BlackCat ransomware-as-a-service (RaaS) operation, with a few upgrades to make the encryption process smoother and more deliberate.

"If you would consider BlackCat advanced, then Cicada is the next step," says Michael Gorelik, CTO of Morphisec, which published a report about it today. "It has implemented features that I've never seen before in ransomware, and I've been doing this for years."

Cicada 3301 Encryption: A BlackCat Copycat

Like most ransomware operations of its size, the BlackCat ransomware-as-a-service (RaaS) has been attracting law enforcement attention as of late. History shows that when this happens, the threat actors involved with or otherwise reliant on such operations branch out and create offshoots.

No evidence exists yet to connect the people behind Cicada3301 and BlackCat. But the sheer degree of overlap between their malware might indicate some kind of relationship, or some other means by which the former's authors have become especially familiar with the latter's modus operandi.

"There are rumors that [BlackCat] is being sold on the Dark Web," Gorelik says, "but I cannot at this stage tell if it's based or not based on the code. What I can see is a lot of similarities based on the techniques that they implement, and some beyond. It's almost like [they took all of] the BlackCat techniques and then added 50% more on top."

Cicada3301 uses very BlackCat-like commands for various standard ransomware functions: deleting shadow copies of files, clearing event logs, disabling system recovery tools, and more. The 35 file types it seeks out are varied and nonspecific, from DOCs and SQLs to XLSXs and GIFs.

Cicada3301's Advanced TTPs

One minor way Cicada3301 distinguishes itself is in the degree to which its encryption process can be customized. Users can instruct the program to sleep before encrypting data, as an evasion technique, or skip encrypting data stored locally on the device. They can avoid encrypting certain kinds of data — like network data — or only encrypt certain file paths, and so on.

A better trick, though, is how it utilizes stolen credentials on the fly to burrow deeper into targeted systems. The malware writes to disk the legitimate, Microsoft-signed tool "psexec," and, with a batch file, automatically feeds it the credentials it sweeps up in the course of an attack. Psexec can then employ those credentials to escalate privileges and laterally move inside of victim networks as the credentials are harvested.

External to the malware itself, researchers found that Cicada3301 was being delivered behind EDRSandBlast, a C-based open source tool for bypassing endpoint detection and response (EDR) protections.

"We know that one of the top three EDRs was compromised here, in at least one of the cases," Gorelik reports, which helped pave the way for the malware deployment. Thus, he adds, "The question is: What additional layers of technology do you have on top [of EDR]? You need other solutions that can be a complimentary layer."

More to the point: Cicada3301's authors have been radically improving its obfuscation capabilities in just the last few weeks. The initial version of the malware was detected by around 33% of antivirus products listed on VirusTotal, but more recent samples are flagged by zero. The exact reason for this is not yet clear, though it's notable that the new samples are more than twice the size of the original (17MB versus 7).

The Legacy of Cicada3301

No evidence exists to connect the Cicada3301 ransomware with the original, ultimately harmless online project.

Nor would it be the first time that unaffiliated threat actors have cheaply attached their work to the original Cicada3301. In July 2015, a group of cyber vigilantes claiming to be its creators attacked Planned Parenthood. In a break from their usual cadence, the real creators stepped out to publicly claim no connection to the crime.

The final message from the Cicada3301 project was posted in January 2016:

The path lies empty; epiphany seeks the devoted.

Liber Primus is the way.  Its words are the map, their meaning is the road, and their numbers are the direction.

Seek and you will be found.

Beware false paths.

When it comes to Cicada3301 ransomware, companies should beware their own file paths.