Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware

To help you secure your systems and data, I'll explain how this ransomware operates and offer practical advice you can implement to mitigate risk. 

Understanding the Cicada3301 Ransomware

The Rust-based Cicada3301 ransomware targets predominantly small to midsized businesses through targeted attacks. Vulnerabilities serve as initial system entryways, likely through exploits made available via vulnerability scans.

One unique aspect of Cicada3301 is that it uses compromised user credentials to execute PsExec, an otherwise legitimate program used for remote execution. This makes detection difficult as PsExec remains legitimate and more challenging to spot than its alternatives.

Cicada3301 utilizes ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, IISReset.exe to stop IIS services and encrypt files that would otherwise be locked for modification or deletion, as well as IISReset.exe to stop these IIS services and encrypt any locked files which otherwise block changes and deletion. It follows similar behavior patterns to BlackCat in clearing all event logs, deleting shadow copies via the shadowcopy-delete command-line utility, and increasing MaxMpxCt value so it can support higher volumes of traffic, such as SMB PsExec requests.

Source: morphisecCicada3301 can also target Virtual Machines (VMs), shutting down backup and recovery services and hard-coded lists of processes. Additionally, this ransomware targets 35 file extensions: sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Investigations unveiled additional tools like EDRSandBlast that utilize vulnerable signed drivers to bypass EDR detections. Cicada3301 has been observed using this technique—as used by the BlackByte ransomware group previously—which suggests they may have collaborated to gain initial access to enterprise networks.

Analysis of the ESXi version of Cicada3301 uncovered that this ransomware could use intermittent encryption to encrypt files larger than 100 MB and use a parameter named "no_vm_ss" for encryption without shutting down virtual machines running on its host machine.

Understanding who may fall prey to attacks by Cicada3301 is essential. The ransomware attacks primarily target small to midsized businesses through targeted opportunistic attacks exploiting vulnerabilities, likely with help from operators of Brutus Botnet to gain initial entry to enterprise networks.

Practical Advice for Mitigating Risk

Linux admins can take specific practical measures to mitigate ransomware attacks, including:

• Regularly updating operating systems and software.
• Using reliable antivirus programs and firewalls.
• Disabling unneeded services and ports.
• Making regular backups of critical files and database backups.
• Providing regular training awareness programs on how to avoid ransomware attacks and other forms of phishing and malware attacks.
• Offering regular backup storage systems offsite.
• Regularly training staff on how to recognize these types of attacks.

Our Final Thoughts on Cicada3301 Ransomware

The Cicada3301 ransomware variant is a hazardous threat that targets both Windows and Linux/ESXi hosts. It is capable of embedding PsExec, clearing almost all event logs, and using legitimate tools to cause damage. Due to these characteristics, it may be hard to detect or prevent. Therefore, sysadmins must take proactive measures to safeguard their systems against possible attacks by regularly updating systems with patches, training employees for increased awareness, and backing up critical files regularly. These measures will significantly lower the risks associated with ransomware attacks.