Date: 09/11/2024
Severity: Critical
Summary
Repellent Scorpius is a recently surfaced ransomware-as-a-service (RaaS) group that deploys Cicada3301 ransomware. The group seems to have first appeared in May 2024, initiating a multi-extortion campaign. This report, derived from Unit 42 Incident Response engagements, offers a technical examination of the ransomware used by the Repellent Scorpius group. It also details additional tactics, techniques, and procedures (TTPs) observed during the attack.
Indicators of Compromise (IOC) List
Domains/URLs | cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion |
IP Address | 103.42.240.37 91.238.181.238 |
Hash |
0260258f6f083aff71c7549a6364cb05d54dd27f40ca1145e064353dd2a9e983
2d73b3aefcfbb47c1a187ddee7a48a21af7c85eb49cbdcb665db07375e36dc33
3969e1a88a063155a6f61b0ca1ac33114c1a39151f3c7dd019084abd30553eab
56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7
8ec114b29c7f2406809337b6c68ab30b0b7f0d1647829d56125e84662b84ea74 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion" or url like "cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion" |
Detection Query 2 | dstipaddress IN ("91.238.181.238","103.42.240.37") or ipaddress IN ("91.238.181.238","103.42.240.37") or publicipaddress IN ("91.238.181.238","103.42.240.37") or srcipaddress IN ("91.238.181.238","103.42.240.37") |
Detection Query 3 |
sha256hash IN ("56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7","0260258f6f083aff71c7549a6364cb05d54dd27f40ca1145e064353dd2a9e983","2d73b3aefcfbb47c1a187ddee7a48a21af7c85eb49cbdcb665db07375e36dc33","3969e1a88a063155a6f61b0ca1ac33114c1a39151f3c7dd019084abd30553eab","8ec114b29c7f2406809337b6c68ab30b0b7f0d1647829d56125e84662b84ea74") |
Reference:
https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/