blog.morphisec.com
Open in
urlscan Pro
199.60.103.225
Public Scan
Submitted URL: https://u33254697.ct.sendgrid.net/ls/click?upn=u001.rfmZKoSIQF-2FqHrRaNSBoLz30vLIaNV6YIZjr-2BP6-2Foh8HbCATPaMnFzi8XwOaekhl2S5QJhgP...
Effective URL: https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
Submission: On September 07 via api from IL — Scanned from IL
Effective URL: https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
Submission: On September 07 via api from IL — Scanned from IL
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7
<form id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7"
class="hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_117f8346-1aa3-415a-89c7-c126861680ce hs-form stacked hs-custom-form"
target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" data-instance-id="117f8346-1aa3-415a-89c7-c126861680ce" data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169"
data-test-id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field smart-field"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" class="" placeholder="Enter your "
for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" name="firstname" required="" placeholder="First Name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field smart-field"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" class="" placeholder="Enter your "
for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" name="lastname" required="" placeholder="Last Name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" class="" placeholder="Enter your " for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field smart-field"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" class="" placeholder="Enter your "
for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1725734116961","formDefinitionUpdatedAt":"1724683265867","lang":"en","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","pageTitle":"Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis","pageUrl":"https://blog.morphisec.com/cicada3301-ransomware-threat-analysis","pageId":"177081907483","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.morphisec.com/cicada3301-ransomware-threat-analysis","contentType":"blog-post","hutk":"c3edc106a44a1f3013f1188d805ec797","__hsfp":3755041163,"__hssc":"182053752.1.1725734120010","__hstc":"182053752.c3edc106a44a1f3013f1188d805ec797.1725734120010.1725734120010.1725734120010.1","formTarget":"#hs_form_target_module_1541132004988163","formInstanceId":"5019","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"d9c5f68f62f6aa0828a6851dd171f42a","pageName":"Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis","rumScriptExecuteTime":2140.2999997138977,"rumTotalRequestTime":2426.9000000953674,"rumTotalRenderTime":2461.4000000953674,"rumServiceResponseTime":286.6000003814697,"rumFormRenderTime":34.5,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1725734120029,"originalEmbedContext":{"portalId":"1534169","formId":"37b11fda-a2aa-4805-9c0e-bae8eaccd6b7","region":"na1","target":"#hs_form_target_module_1541132004988163","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"5019","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"d9c5f68f62f6aa0828a6851dd171f42a","pageName":"Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis","pageId":"177081907483","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"117f8346-1aa3-415a-89c7-c126861680ce","renderedFieldsIds":["firstname","lastname","email","company"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5999","sourceName":"forms-embed","sourceVersion":"1.5999","sourceVersionMajor":"1","sourceVersionMinor":"5999","allPageIds":{"embedContextPageId":"177081907483","analyticsPageId":"177081907483","contentPageId":177081907483,"contentAnalyticsPageId":"177081907483"},"_debug_embedLogLines":[{"clientTimestamp":1725734117080,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1725734117081,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis\",\"pageUrl\":\"https://blog.morphisec.com/cicada3301-ransomware-threat-analysis\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36\",\"pageId\":\"177081907483\",\"contentAnalyticsPageId\":\"177081907483\",\"contentPageId\":177081907483,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1725734117083,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"IL\""},{"clientTimestamp":1725734120024,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"c3edc106a44a1f3013f1188d805ec797\",\"canonicalUrl\":\"https://blog.morphisec.com/cicada3301-ransomware-threat-analysis\",\"contentType\":\"blog-post\",\"pageId\":\"177081907483\"}"}]}"><iframe
name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5019" style="display: none;"></iframe>
</form>/hs-search-results
<form data-hs-do-not-collect="true" action="/hs-search-results" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
</form>Text Content
Recent Webinar: Building an Adaptive Cyber Resilient Cloud
Watch now
* Support
* Partners
* Under Attack?
* Products
* Product Overview
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* By Industry
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Blog
* Learning Center
* Customer Stories
Read the Blog
Get A Demo
* Products
* Main Menu
* Products
* Product Overview
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* Main Menu
* Solutions
* By Industry
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* Main Menu
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Main Menu
* Resources
* Learning Center
* Customer Stories
* Blog
* Support
* Partners
* Under Attack?
* Read the Blog
* Get A Demo
Cybersecurity Blog
Cybersecurity News, Threat Research, and more from the Team Spearheading the
Evolution of Endpoint Security
DECODING THE PUZZLE: CICADA3301 RANSOMWARE THREAT ANALYSIS
Posted by Michael Gorelik on September 3, 2024
Find me on:
LinkedIn Twitter
*
* Share
*
In the rapidly evolving landscape of cybersecurity threats, a new adversary has
emerged, drawing inspiration from one of the internet’s most enigmatic
puzzles—Cicada3301. This new threat, dubbed Cicada3301 ransomware, was
identified in a Morphisec customer environment just a week ago after bypassing a
leading endpoint and detection and response (EDR) provider solution.
INTRODUCTION
Cicada3301 ransomware, written in Rust, was first reported less than two months
ago. Despite its recent emergence, Morphisec threat researchers have already
identified striking similarities between Cicada3301 and the infamous BlackCat
ransomware.
Like its namesake, the Cicada puzzle, which has long been associated with
complex, cyber-related problem-solving, the true identity of the Cicada3301
ransomware developers remains shrouded in mystery.
However, it's crucial to note that Morphisec's anti-ransomware impact protection
has already proven effective against Cicada3301 without requiring any updates,
highlighting Morphisec’s robustness and adaptability in the face of emerging
threats.
During Morphisec’s investigation, additional tools were uncovered, such as
EDRSandBlast, which is used to tamper with EDR systems. With the limited
visibility Morphisec researchers currently have, it appears that Cicada3301
ransomware primarily targets small to medium-sized businesses (SMBs), likely
through opportunistic attacks that exploit vulnerabilities as the initial access
vector.
Since June 18, 2024, Morphisec has counted more than 20 victims, predominately
located in North America and England. Impacted organizations vary in size, from
SMB (13 organizations) and mid-sized businesses (5 organizations) to enterprise
(3). Industries of operation include manufacturing/industrial, healthcare,
retail and hospitality. Attackers accept payment in Bitcoin and Monero.
TECHNICAL DETAILS
Cicada3301 ransomware shares several core characteristics with the well-known
Rust-based ransomware, BlackCat.
It features a well-defined parameter configuration interface, registers a vector
exception handler, and employs similar methods for shadow copy deletion and
tampering. This trend of using Rust in ransomware development is on the rise,
with other notable examples including Hive and RansomExx, due to Rust's
efficiency and cross-platform capabilities.
However, Cicada3301 distinguishes itself with significant innovations,
particularly in how it executes and integrates compromised credentials, marking
an evolution in ransomware tactics.
DOWNLOAD MORPHISEC’S FULL CICADA3301 ANALYSIS INCLUDING INDICATORS OF COMPROMISE
(IOCS)
HOW MORPHISEC HELPS
Powered by Automated Moving Target Defense (AMTD), Morphisec’s Anti-Ransomware
Assurance Suite stops ransomware attacks like Cicada3301 with multi-layered
protection.
Ransomware infiltration protection prevents the execution of ransomware attacks
at early infiltration stages with Morphisec’s prevention-first AMTD technology
that constantly changes a system’s configuration or environment. This makes it
harder for attackers to exploit systems as the attack surface is always
shifting.
Ransomware impact protection defends systems against the ransomware impact phase
with dedicated anti-ransomware protection that proactively defends critical
assets and files with a prevention-first strategy. This minimizes recovery times
and strengthens an organization’s anti-ransomware stance.
Preventatively, Adaptive Exposure Management (AEM) helps teams adapt by
pre-emptively defending against attacks. AEM prioritizes vulnerabilities,
automates the assessment and validation of an organization’s security controls,
identifies high-risk software and addresses security misconfigurations.
Morphisec doesn’t rely on signature or behavioral patterns. Instead, its
patented AMTD technology prevents an attack at its earliest stages, preemptively
blocking attacks on memory and applications, and effectively remediating the
need for response.
Schedule a demo today to see how Morphisec stops ransomware and other new and
emerging threats.
SUBSCRIBE TO OUR BLOG
Stay in the loop with industry insight, cyber security trends, and cyber attack
information and company updates.
SEARCH OUR SITE
RECENT POSTS
* Vulnerability Whisperer: Turning Headaches to High-Fives
* Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis
* Preventing Threats Before Infiltration: Morphisec AMTD in Action
* From Trading Floors to ATMs: 5 Unexpected Cyber Exposure Challenges in
Finance
* Staying One Step Ahead: The Ultimate Anti-Ransomware Assurance Checklist
* AMTD Featured in Gartner® Hype Cycle™ for Endpoint and Workspace Security,
2024
* Technical Analysis: CVE-2024-38021
* CVE-2024-38173: Outlook Form Injection RCE Vulnerability Patched
* Technical Analysis: CVE-2024-30103
* The Evolution of MDR: Adding Prevention First
POSTS BY TAG
* Automated Moving Target Defense (147)
* Cyber Security News (130)
* Threat Research (128)
* Morphisec Labs (117)
* Morphisec News (55)
* Defense-in-Depth (12)
* Gartner (8)
* Adaptive Exposure Management (7)
* Continuous Threat Exposure Management (CTEM) (7)
* Ransomware (7)
* In-Memory Attacks (6)
* Threat and Vulnerability Management (5)
* Microsoft (4)
* Runtime Attacks (4)
* Advanced Threat Defense (3)
* Evasive Loader (3)
* Fileless Malware (3)
* Financial Cybersecurity (3)
* Legacy Security (3)
* Linux Cybersecurity (3)
* ChatGPT (2)
* Healthcare Cybersecurity (2)
* Patch Management (2)
* Product Blogs (2)
* Anti-tampering (1)
* IoT Security (1)
* Managed Service Providers (1)
* Server Security (1)
See all
* Products
* Product Overview
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Morphisec Vulnerability Visibility & Prioritization
* Incident Response Services
* About Moving Target Defense
* Solutions By Industry
* Banking & Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* Solutions by Use Case
* Microsoft Defender for Endpoint
* Microsoft Defender AV
* Virtual Desktop Protection
* Ransomware Protection
* Supply Chain Attack Protection
* Cloud Workload Protection
* Remote Employee Security
* Virtual Patching & Compliance
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Blog
* Support
* Partners
* Contact Us
* Privacy & Legal
* Contact Sales
* Inquire via Azure
*
*
*
© 2024 Morphisec Ltd. | All rights reserved
Privacy policy |
WE USE COOKIES
We may place these for analysis of our visitor data, to improve our website,
show personalised content and to give you a great website experience. For more
information about the cookies we use open the settings.
Your consent and the cookie policy apply to all websites of "Morphisec Group",
including: morphisec.com, Engage Morphisec, Morphisec Blog.
Deny
No, adjust
Accept all