《解剖蝉:在黑猫的阴影下.pdf》由会员分享,可在线阅读,更多相关《解剖蝉:在黑猫的阴影下.pdf(35页珍藏版)》请在三个皮匠报告上搜索。
1、Title xxxxxxxxxName,role,dateTitleName,Role,DateDissecting the Cicada In the Shadow of the Black CatMattias Whlen,Nicklas KeijserA Ransomware Incident Autumn 2024 Less then 50 Servers ESXi ransomware Previously Unknown Threat ActorForensic ResultsBrute-force NetSupportWinSCPCicada3301WinRM and RDPSc
2、reenConnectAngry IP Scannerpypykatz and MimikatzRemote ServicesData ExfiltrationRansomwareLateral MovementRemote ControlInternal ReconnaissancePrivilege EscalationIndicators of Compromise91.92.249.203-First NetSupport Login 109.107.173.60-ScreenConnect C2The ErosionThe Deja-VuThe KeyThe ChecksThe No
3、te-CicadaThe Note-BlackCatThe Encrypted FilesThe ParametersThe ResemblancesSimilaritiesWritten in RustUse ChaCha20 for file encryptionAlmost identical use of esxcli to shut down virtual machines and remove snapshotsThe usage of the ui commandDecrypting configuration and ransomware with a key provide
4、d as a parameterSame naming convention on encrypted filesSame built in list to terminate processesCicada3301 has an updated list of services to terminateCredits*Windows binary Same command line as BlackCat Especially the use of bcdedit Stopping services and processes Same exclusion of files and dire
5、ctories Similar toolset Sharing infrastructure*https:/ There a Connection?Jan2024 Feb Mar AprMayJunJul Aug Sep Cicada3301BlackCat/ALPHV?From a Cat to a CicadaThe Demise of Black CatLaw Enforcement Takedown Dec 2023Exit Scam in Mar 2024The InfrastructureThe Virtual Machine*https:/www.sygnia.co/blog/b
6、lackcat-ransomware/There is Likely a Connection!Jan2024 Feb Mar AprMayJunJul Aug Sep Cicada3301BlackCat/ALPHVWho Are Cicada 3301?Ransomware-as-a-ServiceRansomware GroupAffiliateDevelop ransomwareDoes the hackingDevelops other toolsUses toolkitHosts stolen dataSteals dataAssist in negotiationsDetermi