In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat’s impact.

The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here’s where things get weird: Immediately after taking payment, BlackCat closed its doors, citing “the feds” as the reason for the shutdown.

Now, an eerily similar iteration has emerged: Cicada3301. While it’s too soon to say for sure, BlackCat may be back.

Analyzing ALPHV

BlackCat consistently made the list of the top ten most active ransomware groups during its heyday.

Innovation is partly responsible for its success. As noted by Kevin Henson, Lead Malware Reverse Engineer, IBM X-Force, IBM Consulting, Cybersecurity Services, “It was the first piece of ransomware written in Rust. Choosing Rust let BlackCat engineers add customized features and implement measures that prevented malware analysis.”

Henson points to an upgraded version of BlackCat known as Sphinx, which used an encrypted common line rather than tokens, making it hard for security teams to access BlackCat code.

BlackCat ransomware operators also used custom malware known as ExMatter to automate the data exfiltration process. Once exfiltration was complete, the tool “melted” — self-deleted — to hinder the efforts of security teams. It’s also worth noting that BlackCat and its affiliate users demonstrated more than a casual knowledge of corporate IT operations.

For example, attackers leveraged Group Policy Objects (GPOs) to increase the speed of malware deployments. By changing GPO refresh times, malicious code spread more quickly and security teams had less time to respond.

BlackCat says goodbye — A new pest says hello

With competitors such as BlackMatter/DarkSide closing up shop in 2022, BlackCat became a global nuisance, attacking everything from educational institutions and energy providers to government agencies.

Even the late 2023 seizure of BlackCat servers by the United States Department of Justice wasn’t enough to stop its predatory prowling. By early 2024, ALPHV was back in action, encrypting massive amounts of Change Healthcare data and netting themselves a cool $22 million bitcoin ransom.

Shortly after the payoff, however, BlackCat closed its leak site and announced the sale of its Ransomware-as-a-Service (RaaS) source code for $5 million. The group itself claimed law enforcement interference as the reason for the shutdown, but BlackCat affiliates told a different story: ALPHV administrators didn’t share the profits of the Change Healthcare attack as promised, instead keeping everything for themselves.

Six months after BlackCat’s goodbye, however, a new pest emerged: Cicada3301. As noted by Henson, “After using static identification tools, we see that BlackCat and Cicada3301 were compiled using the same toolset. Also, some of the functionality is similar between the two, such as the way the ransomware clears event logs ” While he says that code itself isn’t just a rehash of BlackCat, “the malware group has either seen the code base or are using the same developers.”

So far, Cicada3301 is taking it slow. Agnes Ramos-Beauchamp, Malware Reverse Engineer at IBM X-Force, says that “according to open-source intelligence (OSINT) reports, they’re targeting easy prey like small and medium-sized businesses (SMBs). The initial compromise vector appears to be through Remote Desktop Protocol (RDP), likely using stolen credentials or crackable passwords ” Given the law enforcement issues encountered by BlackCat, shooting for the low-hanging fruit makes sense — at least until the malware is more developed.

Cicada3301: Imitator or innovator?

With Cicada on the rise, it’s worth asking the question: Is this BlackCat 2.0 or something entirely different? The answer seems to lie somewhere in the middle.

For example, the new malware strain is also written in Rust. According to Henson, “What we’re seeing with Cicada is an early version. I suspect that as time goes by, developers will add more features.” BlackCat went through a similar process with the development of Sphinx. Of course, this could simply be a coincidence — other malware, such as Hive and RansomExx, has also used Rust, and malware tools improving over time is standard practice for RaaS developers.

As noted by a Morphisec report, however, the similarities are more than just skin-deep. Like BlackCat, Cicada3301 “features a well-defined parameter configuration interface, registers a vector exception handler and employs similar methods for shadow copy deletion and tampering.”

According to Ramos-Beauchamp, there’s also some sharing of infrastructure. Cicada is reusing some of the IPs that BlackCat used to use, and they’re using similar toolsets, along with the psexec executable for lateral movement.”

But Cicada isn’t just a clone of BlackCat. Unlike its predecessor, Cicada3301 embeds compromised user credentials within the ransomware itself, an approach that has not been previously observed.

Don’t bug me, man

Cicada3301 may be BlackCat 2.0, or it may simply be an impressive imitator that leverages some of ALPHV’s most effective components and builds on this functionality with a new approach to handling compromised credentials.

Regardless of its role as a malware replica or malicious revolution, Cicada3301 relies on the same starting point as BlackCat: Phishing. If malicious actors can convince users to provide credentials, they can potentially access RDP endpoints and infect corporate systems. Attackers are now using a combination of both emails and text messages to get their foot in the door.

“A lot of these emails are very persuasive,” says Henson, “And text messages may seemingly contain legitimate details about packages, such as delivery dates or potential delays.” By educating staff about the hallmarks of common phishing efforts and bolstering security with intelligent detection tools, businesses should be able to address emerging Cicada threats in much the same way they handled BlackCat.

So, is BlackCat back? Maybe. Cicada3301 shares a significant amount of both form and function with the ALPHV malware and shows similar signs of evolving over time. From a security perspective, the overlap is informative — the use of similar architecture helps inform effective defense and drives discussion of who’s behind this new iteration.

From a business operations standpoint, meanwhile, these similarities are actionable. Doppelganger or not, Cicada3301 still relies on stealing user credentials as its route to compromise. By leveraging a combination of intelligent email monitoring and regular employee security training, businesses can keep bad actor bugs at bay.