BlackCat Spin-off Cicada3301 Uses Stolen Creds on the Fly, Skirts EDR

Malware authors have iterated on one of the premier encryptors on the market, building something even bigger and better.

One of the most popular ransomware tools on the market today has spawned an even more advanced offspring.
Cicada3301, named after the infamous
4chan puzzle project
from the early 2010s, is a Rust-based ransomware tool that first came onto the scene on June 18. In the two and a half months since, according to its leak site, it has been used to compromise 21 companies. Three have been large enterprises, five midsize businesses, and the majority have been small businesses. Industries vary — healthcare, manufacturing, retail, hospitality, etc. — though all have been concentrated in Europe and North America.
This ransomware operation isnt enigmatic and innocent like its namesake was. Instead, it much more closely resembles the
BlackCat ransomware-as-a-service (RaaS) operation
, with a few upgrades to make the encryption process smoother and more deliberate.
If you would consider BlackCat advanced, then Cicada is the next step, says Michael Gorelik, CTO of Morphisec, which
published a report
about it today. It has implemented features that Ive never seen before in ransomware, and Ive been doing this for years.
Like most ransomware operations of its size, the BlackCat ransomware-as-a-service (RaaS) has been
attracting law enforcement attention
as of late. History shows that when this happens, the threat actors involved with or otherwise reliant on such operations
branch out and create offshoots
.
No evidence exists yet to connect the people behind Cicada3301 and BlackCat. But the sheer degree of overlap between their malware might indicate some kind of relationship, or some other means by which the formers authors have become especially familiar with the latters modus operandi.
There are rumors that [BlackCat] is being sold on the Dark Web, Gorelik says, but I cannot at this stage tell if its based or not based on the code. What I can see is a lot of similarities based on the techniques that they implement, and some beyond. Its almost like [they took all of] the BlackCat techniques and then added 50% more on top.
Cicada3301 uses very BlackCat-like commands for various standard ransomware functions: deleting shadow copies of files, clearing event logs, disabling system recovery tools, and more. The 35 file types it seeks out are varied and nonspecific, from DOCs and SQLs to XLSXs and GIFs.
One minor way Cicada3301 distinguishes itself is in the degree to which its encryption process can be customized. Users can instruct the program to sleep before encrypting data, as an evasion technique, or skip encrypting data stored locally on the device. They can avoid encrypting certain kinds of data — like network data — or only encrypt certain file paths, and so on.
A better trick, though, is how it utilizes stolen credentials on the fly to burrow deeper into targeted systems. The malware writes to disk the legitimate, Microsoft-signed tool psexec, and, with a batch file, automatically feeds it the credentials it sweeps up in the course of an attack. Psexec can then employ those credentials to escalate privileges and laterally move inside of victim networks as the credentials are harvested.
External to the malware itself, researchers found that Cicada3301 was being delivered behind EDRSandBlast, a C-based open source tool for bypassing endpoint detection and response (EDR) protections.
We know that one of the top three EDRs was compromised here, in at least one of the cases, Gorelik reports, which helped pave the way for the malware deployment. Thus, he adds, The question is: What additional layers of technology do you have on top [of EDR]? You need other solutions that can be a complimentary layer.
More to the point: Cicada3301s authors have been radically improving its obfuscation capabilities in just the last few weeks. The initial version of the malware was detected by around 33% of antivirus products listed on VirusTotal, but more recent samples are flagged by zero. The exact reason for this is not yet clear, though its notable that the new samples are more than twice the size of the original (17MB versus 7).
No evidence exists to connect the Cicada3301 ransomware with the original, ultimately harmless online project.
Nor would it be the first time that unaffiliated threat actors have cheaply attached their work to the original Cicada3301. In July 2015, a group of cyber vigilantes claiming to be its creators attacked Planned Parenthood. In a break from their usual cadence, the real creators stepped out to publicly claim no connection to the crime.
The final message from the Cicada3301 project was posted in January 2016:
The path lies empty; epiphany seeks the devoted.
Liber Primus is the way. Its words are the map, their meaning is the road, and their numbers are the direction.
Seek and you will be found.
Beware false paths.
When it comes to Cicada3301 ransomware, companies should beware their own file paths.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BlackCat Spin-off Cicada3301 Uses Stolen Creds on the Fly, Skirts EDR