A new ransomware-as-a-service (RaaS) operation, impersonating the infamous Cicada 3301 group, has quickly gained traction, attacking companies worldwide and listing 19 victims on its extortion portal. This operation, using the same name and logo as the 2012-2014 cryptographic puzzle game Cicada 3301, has no legitimate connection to the original project, which has publicly condemned the cybercriminals’ actions.
The Cicada3301 ransomware group began promoting its services and recruiting affiliates on June 29, 2024, via the RAMP cybercrime forum. However, attacks were observed as early as June 6, suggesting the group was initially operating independently.
Cicada3301 employs double-extortion tactics, where attackers breach networks, steal data, and encrypt devices. The group then threatens to leak the stolen data unless a ransom is paid. Like other ransomware groups, they run a data leak site to pressure victims further.
A detailed analysis by Truesec reveals significant overlaps between Cicada3301 and ALPHV/BlackCat, suggesting the new group may be a rebrand or a fork of ALPHV’s core team. The similarities include:
* Both ransomware variants are written in Rust.
* They use the same encryption algorithm (ChaCha20).
* They share identical commands for shutting down virtual machines (VMs) and wiping snapshots.
* Both have the same command-line parameters, file-naming conventions, and ransom note decryption methods.
* Both use intermittent encryption on large files.
ALPHV’s exit scam in March 2024, where they stole $22 million from an affiliate and faked an FBI takedown, raises the possibility that Cicada3301 is its successor.
Truesec also discovered potential links between Cicada3301 and the Brutus botnet, known for VPN brute-forcing attacks on corporate networks. Brutus has previously targeted Cisco, Fortinet, Palo Alto, and SonicWall devices. Notably, Brutus activity began shortly after ALPHV’s shutdown, further hinting at a connection.
Cicada3301 uses ransomware built in Rust to target both Windows and Linux/VMware ESXi environments. The ESXi encryptor is designed to maximize damage in enterprise networks by disrupting VM operations and encrypting data.
Like other ransomware families, such as BlackCat and RansomHub, Cicada3301’s encryptor requires a key to launch, which decrypts a JSON blob containing the encryption configuration. It uses the ChaCha20 cipher for file encryption and RSA keys for securing the symmetric key.
The ransomware targets specific file extensions, especially those related to documents and media files. It also applies intermittent encryption for larger files (over 100MB) to maximize speed and impact while encrypting smaller files entirely.
The encryptor appends a random seven-character extension to filenames and creates ransom notes titled "RECOVER-[extension]-DATA.txt," similar to BlackCat's method. Additionally, it can delay execution with a sleep function to evade detection and is equipped with parameters to skip VM shutdowns before encryption.
Cicada3301’s focus on VMware ESXi servers underscores its goal of causing maximum disruption in enterprise environments, where virtual machines are critical. By shutting down VMs, wiping snapshots, and encrypting files, the ransomware group ensures that victims are left with limited recovery options, heightening pressure to pay the ransom.
The group’s operations demonstrate a high level of sophistication, likely indicating that they are seasoned ransomware operators, further reinforcing suspicions of an ALPHV reboot or collaboration with experienced affiliates.
