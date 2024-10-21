With competitors such as BlackMatter/DarkSide closing up shop in 2022, BlackCat became a global nuisance, attacking everything from educational institutions and energy providers to government agencies.

Even the late 2023 seizure of BlackCat servers by the United States Department of Justice wasn’t enough to stop its predatory prowling. By early 2024, ALPHV was back in action, encrypting massive amounts of Change Healthcare data and netting themselves a cool USD 22 million bitcoin ransom.

Shortly after the payoff, however, BlackCat closed its leak site and announced the sale of its Ransomware-as-a-Service (RaaS) source code for USD 5 million. The group itself claimed law enforcement interference as the reason for the shutdown, but BlackCat affiliates told a different story: ALPHV administrators didn’t share the profits of the Change Healthcare attack as promised, instead keeping everything for themselves.

Six months after BlackCat’s goodbye, however, a new pest emerged: Cicada3301. As noted by Henson, “After using static identification tools, we see that BlackCat and Cicada3301 were compiled using the same toolset. Also, some of the functionality is similar between the two, such as the way the ransomware clears event logs.” While he says that code itself isn’t just a rehash of BlackCat, “the malware group has either seen the code base or are using the same developers.”

So far, Cicada3301 is taking it slow. Agnes Ramos-Beauchamp, Malware Reverse Engineer at IBM X-Force, says that “according to open-source intelligence (OSINT) reports, they’re targeting easy prey like small and medium-sized businesses (SMBs). The initial compromise vector appears to be through Remote Desktop Protocol (RDP), likely using stolen credentials or crackable passwords.” Given the law enforcement issues encountered by BlackCat, shooting for the low-hanging fruit makes sense — at least until the malware is more developed.