Cicada Ransomware – What You Need To Know


What is the Cicada ransomware?

Cicada (also known as Cicada3301) is sophisticated ransomware written in Rust that has claimed more than 20 victims since its discovery in June 2024.

Why is the ransomware called Cicada?

The criminals behind Cicada appear to have named it after the mysterious Cicada 3301 puzzles posted on the internet between 2012 and 2014, seemingly to recruit highly intelligent individuals. 

Of course, there is no reason to believe that the ransomware is in any fashion related to the enigmatic puzzles that appeared a decade before it – other than through the name.

Fair enough. What sort of companies are being hit by Cicada?

According to a blog post by security researchers at Morphisec, at least 21 companies, predominantly in North America and the UK, have been hit by Cicada since June 18, 2024. 

Most of the organisations affected have been small and mid-sized businesses (18), with the remaining three described as enterprises. Victims have been noted in a variety of industry sectors, including manufacturing/industrial, healthcare, retail, and hospitality. 

Organizations hit by the Cicada ransomware are greeted by a message telling them that attackers have downloaded their important data and that files on the company’s network have been encrypted. 

A further message says that the gang is prepared to provide “proof that the data has been stolen” and will delete all the stolen information and “help you rebuild your infrastructure and prevent similar attacks in the future” if a cryptocurrency payment is made.

And I guess they will publish the data if you don’t pay up?

Yes, the Cicada gang says that if a ransom is not paid in time, then the stolen data will be published on its blog. But they also say that the data will be sent “to all regulatory authorities in your country, as well as to your customers, partners, and competitors.”

That’s a nasty threat. Do we know who is behind Cicada?

Although we do not know the identities of those responsible, security researchers say that there are striking similarities between Cicada and the ALPHV BlackCat ALPHV ransomware – which is also written in Rust. 

While there’s no definitive proof, the similarities between Cicada and BlackCat, including the use of Rusy, evasion techniques, and timing, suggest a possible connection.

You’ve mentioned Rust a few times. What is that?

Rust is a programming language that has become popular with ransomware developers in recent years. In particular, ransomware groups like BlackCat and Hive have used Rust to create strains of their malware – in part because it makes reverse-engineering more tricky and due to the difficulties some malware detection systems have in reliably detecting Rust-based ransomware via static analysis.

I thought the authorities had taken action to disrupt the ALPHV BlackCat ransomware?

Well remembered. In December 2013, the US Department of Justice announced it had disrupted the ransomware gang’s operations and seized decryption keys to help victims unlock their data without paying a ransom. 

However, that victory was short-lived. ALPHV BlackCat re-emerged, threatened retaliation against countries that assisted with the takedown, and explicitly warned that it would attack hospitals in future.

They don’t sound like a nice bunch.

That’s putting it mildly.

What can I do to reduce the risk of Cicada and other ransomware threats attacking my organisation?

  • Keep your security software updated.
  • Educate your employees about phishing emails and other social engineering techniques.
  • Implement robust backup and recovery procedures.
  • Monitor your environment for suspicious activity.
  • Consider employing threat hunting services to proactively identify and mitigate threats.

Other best practices include creating strong, unique passwords, and keeping software current. It is also advised to report ransomware attacks to CISA, a local FBI field office or a Secret Service field office.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.



Source link