The Cicada3301 ransomware, which has claimed at least 20 victims since it was discovered in June, shares "striking similarities" with the infamous BlackCat ransomware, according to security researchers at Israeli endpoint security outfit Morphisec.

On Tuesday, Morphisec's threat intelligence team published an analysis of Cicada3301 that claims it was coded in Rust – just like BlackCat.

Cicada shares other characteristics with BlackCat, including how it attempts to remove shadow copies that Windows Server may create to create point-in-time replicas of useful files. Deleting these copies can make ransomware recovery more difficult. The malware manipulates the Windows Volume Snapshot Service (vssadmin) that helps create the shadow copies, and then calls Windows Management Instrumentation (WMI). It also tampers with the "bcdedit" utility in an attempt to prevent victims from restoring encrypted systems.

Morphisec also discovered adaptations such as embedding compromised user credentials in ransomware and then running malware with valid credentials using a renamed Sysinternals remote management tool called psexec.