The Register: Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Source URL: https://www.theregister.com/2024/09/04/cicada_ransomware_blackcat_links/
Source: The Register
Title: Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Feedly Summary: Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials
The Cicada3301 ransomware, which has claimed at least 20 victims since it was spotted in June, shares “striking similarities" with the notorious BlackCat ransomware, according to security researchers at Israeli outfit endpoint security outfit Morphisec.…

AI Summary and Description: Yes

Summary: The text discusses the emergence of the Cicada3301 ransomware, noting its similarities to the BlackCat ransomware. It highlights its sophisticated capabilities, including customizations that leverage compromised user credentials and advanced evasion techniques against detection. This is particularly relevant for professionals in cybersecurity, as it underscores the evolving threat landscape faced by organizations.

Detailed Description: The analysis by Morphisec on the Cicada3301 ransomware reveals critical information pertinent to cybersecurity experts, particularly those focused on malware detection, ransomware recovery, and incident response strategies. Key points include:

– **Cicada3301 Characteristics**:
– Shares coding language (Rust) with BlackCat ransomware.
– Employs strategies to delete Windows shadow copies, complicating recovery efforts.
– Manipulates Windows’ Volume Snapshot Service (vssadmin) to hinder recovery processes.
– Uses Windows Management Instrumentation (WMI) for execution.

– **Notable Customizations**:
– Integrates compromised user credentials within the ransomware, leading to enhanced execution capabilities.
– Customizes ransomware notes and encryption per victim, indicating a tailored approach to attacks.

– **Detection Challenges**:
– Notable low detection rates on VirusTotal (with two samples showing a static detection of 0).
– Recent increases in ransomware size and obfuscation techniques to evade detection mechanisms.
– Evidence that the developers are actively testing and refining methods to avoid identification by security products.

– **Target Demographics**:
– Targets primarily small to medium-sized businesses (SMBs), suggesting an opportunistic attack vector exploiting known vulnerabilities.

– **Contextual Relevance**:
– Links to previous attacks by the BlackCat group, indicating a continuity of threat actors and methodologies in ransomware operations.
– Highlights the evolving tactics of ransomware operators, underscoring the importance of proactive security measures and the necessity for ongoing vigilance by organizations, particularly in the SMB sector.

Overall, the insights provided highlight the sophistication and evolving nature of ransomware threats like Cicada3301, emphasizing the urgent need for improved security postures, continuous monitoring, and robust incident response plans in the modern threat landscape.