Few virus news can be of interest to Linux users. Most are created for Windows, and almost all of them are those affecting Linux require physical access to the equipment. The first is something that does not comply Cicada3301, a virus that first appeared in June and affects Windows, so far everything is normal, but Linux. The bad thing is that for the moment the details of how the infection in Linux has to be are not known. Other desktop operating systems such as macOS or BSD are not mentioned in the report.
If Cicada3301 is known to be type «ransomware», as defined by IBM, “a type of malware that holds a victim’s data or device hostage, threatening to lock it or worse unless the victim pays a ransom to the attacker.” As a visual example, you are probably familiar with the police virus, where once infected, all you saw was a sign with information on how to recover your computer, but it was impossible to access or recover the information without certain knowledge.
Cicada3301 affects small and medium-sized businesses
As it seems and how explains Morphisec, Cicada3301 It targets SMEs (Small and Medium Enterprises), probably through opportunistic attacks that exploit vulnerabilities as an initial access vector. Translated into more accessible language, the above could be that it uses a pirated billing application as a hook. That or something like that. It is written in Rust and can affect both Windows and Linux.
Part of its operation is that its executable is embedded in compromised user credentials, which are then used to run PrExec, a legitimate tool that enables the remote execution of programs. Its capabilities include: Chacha20 encryption, the ability to delete backups, disable system recovery, and break virtual machines — operating systems within operating systems.
Target file types
Cicada3301 targets a total of 35 file extensions: sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm and txt. The above list can be summarized by talking about documents and images, but the first one is worth mentioning: sql is the file extension for databases, which would become inaccessible after encryption.
«Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have simply copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of the first Brutus botnet and then the Cicada3301 ransomware operation are possibly all connected.", says Morphisec.
This new virus has borrowed ideas from other viruses that were already known, but that doesn't mean it is any less dangerous.
Where does the name Cicada3301 come from?
This will also help me explain the header image. Cicada is a genus of Old World cicadas in the family Cicadidae. That, and one of the villains that appear in Flash, the DC Comics speedster superhero. In the television series he appears in the fifth season, and, among other things, obtains the energy left by all the people that Flash has saved and by the Flash himself.
Are there reasons to worry?
There is no detailed information that tells us how many computers have been infected or how, but it is known that affects Linux-based operating systems. In general, and this applies to any virus, if we do not visit pages of dubious reputation, we should not catch any virus regardless of the operating system we are using. In addition, the targets are SMEs.
For small and medium-sized businesses, a word of advice: it is worth backing up important documents to a cloud, as Cicada3301 cannot get there. It can infect servers, but if you use servers from Google, Microsoft or any other major company, it will be more difficult.