Security researchers have warned that the Alphv/BlackCat ransomware group has returned under a new name: Cicada3301. After a potential scam in early March, they attacked more than 30 SMBs in the healthcare, hospitality, manufacturing, and retail sectors in North America and the UK starting in June 2024.
Also known as Noberus or ALPHV, BlackCat is a data-locking group developed by a Russian-speaking cybercriminal collective. This group is related to DarkSide and BlackMatter, which are now defunct. Since its launch in mid-2021, it has become one of the most common types of ransomware. Its code was developed using Rust, which completely differentiates it from other malware programs.
There is an updated version referred to as “Sphynx” that works faster and has fewer crashes, making it a little more difficult to delete from the computer. It targets various industries, including construction, manufacturing, energy, healthcare, technology, and retail, and due to its broad impact, it is highly dangerous. So, how does it spread?
How RDP Opens the Floodgates for Ransomware
A recent report by Morphisec demonstrated that there are many similarities between the two data-snatching crypto viruses. Both groups have a clear and specific method for setting configuration entries and registering a vector exception handler, as well as methods for erasing and modifying shadow copies. To support these conclusions, IBM X-force indicates that both cyber extortion groups were built using the same tools.
This is an indication that Cicada3301 might have emanated from a similar code base of its associate group. The virus also appears to gain access predominantly via the RDP, probably using compromised usernames/passwords. However, researchers have argued that it is not an offspring of BlackCat in any way.
They have integrated stolen credentials into the malware, allowing hackers to encrypt files and data. They can also steal information before encryption, which they can use to blackmail victims by threatening to release it if a ransom isn’t paid.
Features that Make This Hijacking Software a Concern
The extortion software we are covering in this article is different from others because it exhibits some distinctive characteristics and operating mechanisms. The features discussed below make it a big issue in cybersecurity.
Ransomware as a Service (RaaS) is a common business model used by certain groups. They create file-encrypting malware and sell it to customers. In return, users receive a percentage of the payments made by the targets. This model not only spreads viral code but also allows developers to make money from it.
The hacking group pays its partners much more, offering between 80% and 90% for those using their software. In comparison, the average payout in similar setups is around 70%. This type of data-hijacking software is unique because it’s the first to be written in the Rust programming language. It works on Windows, Linux, and VMware virtual machines. Because few malware threats target Linux, security teams are often not ready for these dangers. Traditional tools have a hard time spotting risks from newer languages like Rust, which shows that we need better protection for Linux.
Operators can easily customize their data hijacking virus for different operating systems. They can choose encryption methods, create ransom notes, decide which files to leave unencrypted, and specify which procedures to shut down during incidents, making their operations more efficient.
Criminals often use triple extortion tactics. First, they ask for payment to get a key to unlock encrypted files. Then, they intimidate their victims by saying they would leak the stolen information. Lastly, they might launch additional, denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
This group has set up a public website to display their “loot” after intrusions. This openness makes them more visible to other cybercriminals and pressures victims to pay the demanded amount to keep their data private.
Indicators of a Noberus Malware Infiltration
Group-IB obtained the malware’s control panel and found some differences between the two data-snatching software. Cicada3301 has very few features: only six command-line options, no embedded settings, and, of course, a different name in the ransom note. It also requires a special activation key to work.
Cicada3301’s main ciphers are ChaCha20 and RSA encryption, which can be configured according to the settings being used. The program can terminate virtual machine processes, and erase shadow copies. It also encrypts network shares and hardly runs different encoding threads.
Things to look for include specific file hash codes, specific command and control IP addresses, and web domains that can easily be recognized by the FBI and other cybersecurity specialists.
In most cases, the victim gets a clear message demanding a ransom. Sometimes, such a note contains a link to a specific Tor website, where the attackers may ensure their victims that they have stolen valuable information, which people are willing to pay for.
Also, BlackCat reassigns the extensions for particular intrusions and uses unpredictable, unique, random extensions. It also generates a directory with the name RECOVER-\-NOTES.txt in every folder that contains infected files and describes the primary characteristics of this malware.
Critical Measures to Counter Cyber Attacks
The best methods and controls for protecting against BlackCat attacks are essentially the same as those for preventing cybercrime and hijacking data.
Microsegmentation. SD micro-segmentation prevents ransomware from propagating by enabling the restriction of specific pieces of IT equipment. It also improves protection and decreases the chances of unauthorized access.
Security awareness training raises awareness among employees and can be the key to fighting off threats. Training should focus on creating and developing awareness about phishing scams and other risks that can be accepted to minimize risks.
Encryption. Overall, organizations can prevent attackers from stealing and further exposing important information through encoding.
Flexibility. Having a strong password on this data and mastering [authentication by factors] contributes to protection from breaches. It will help to minimize the danger and consequences of BlackCat intrusion significantly.
Backups. Storing several versions of your records is the key to fast recovery from an intrusion and the best way to prevent payments and losing files. Keeping them in another area away from the network also reduces the vulnerability to contagious bugs and safety during cyber attacks.
Optimal patching cadence. Updating your apps and infrastructure can help you resolve loopholes that come with hardware, apps, and APIs. This practice greatly reduces the possibility of invasions that target those vulnerabilities.
Continuous monitoring. This means that whenever network administrators monitor operations, they should scrutinize both the ingress and egress traffic. This is an effective way to identify ransomware-infected systems or other forms of cyber threats inside the enterprises’ structure.
Endpoint security plays an important role in guarding devices against attacks. It independently observes and controls the existing risks, increasing the level of protection for your files.
Secure cloud services. When organizations choose cloud service providers (CSPs), they need to check that providers meet specific standards, like PCI DSS or FedRAMP certification, to ensure the safety of their sensitive information.
Data leak protection (DLP). Such solutions assist in classifying directories according to their sensitivity. They also generate real-time alerts for the security team to enable a fast response to possible data-locking viruses or theft.
A Growing Cybercriminal Network Through The RaaS Model
The bug takes time to sneak into the victim’s computer and download all the data it can, before encrypting it. That is why Cicada3301 members are trying to attract people who want to join their ransomware-as-a-service (RaaS) scheme. They give interested individuals 20% of the overall payments and give them an interface web. The platform also has news concerning malware, handlers for managing victims, chatting options, and account details.
As Group-IB confirms, the gang directly applies aggression tactics to produce the maximum possible effect. Their elaborate affiliate system helps other computer criminals with the necessary talents and expertise to fine-tune their strategies and deal with their targets systematically via a comprehensible web console. Therefore, fighting against such threats has become very intricate and tedious. They have the technology, backed up with AI, and know how to grow a network of like-minded cyber-parasites. Winning the race in Industry 4.0 has never been as vital as now, as 2025 is approaching fast.
Strengthening Security Against Evolving Threats
This article demonstrates how dangers looming over IT security are evolving through the emergence of Cicada3301. For companies to protect themselves, they have to be active and know the current trends in ransomware. In this way, they can enhance their protective measures to face the growing number of complex risks.
Although we cannot deter or stop organizations like the ones mentioned in this article from threatening and hacking hard-working people, we can advise a strong data surveillance strategy. It should encompass regular checks for infiltrations, strict personnel access controls, and specific staff training. Educating your staff and letting them know about various scams that they may encounter, most especially when phishing, will teach them how to manage their credentials securely.
