Related Families: ALPHV/BlackCat
Verticals Targeted: Construction, IT, Legal Services, Retail, Healthcare, Transportation, Telecommunications, Hospitality, Finance, Real Estate, Manufacturing
Executive Summary
Cicada3301 is a new ransomware as a service (RaaS) that uses sophisticated TTPs to target vulnerabilities within network infrastructures to deploy its ransomware attacks.
Key Takeaways
- Cicada3301 ransomware as a service (RaaS) was first observed in June 2024, advertised on the RAMP underground forum.
- The group is known to use sophisticated TTPs and to target vulnerabilities within network infrastructures to deploy its ransomware attacks.
- Cicada3301 is written in Rust and targets both Windows and Linux/ESXi systems.
- Similarities between Cicada3301 and ALPHV/BlackCat ransomware seem to indicate Cicada3301 could be an ALPHV rebrand.
What is Cicada3301?
Cicada3301 ransomware as a service (RaaS) was first observed in June 2024, advertised on the RAMP underground forum. The group is known to use sophisticated TTPs and to target vulnerabilities within network infrastructures to deploy its ransomware attacks. Hawkeye by DTS Solution recently reported on Cicada3301.
The malware’s name is derived from Cicada 3301, a mysterious and complex cryptographic challenge with both online and offline elements that appeared from 2012-2014. Cicada3301 ransomware uses the challenge’s name and logo but is not affiliated with the original challenge.
Cicada3301 is written in Rust and targets both Windows and Linux/ESXi systems. It has several configurable parameters that allow threat actors to modify the ransomware’s behavior during execution. Cicada3301 threat actors obtain initial access via ScreenConnect, using stolen or brute forced credentials, and are capable of tampering with endpoint detection.
Hawkeye noted similarities between Cicada3301 and ALPHV/BlackCat ransomware, which was also written in Rust. Both malware families use ChaCha20 for encryption, use similar commands to shutdown a VM and remove snapshots, and use -ui command parameters to provide graphic output on encryption. Both malware families use similar file naming conventions and have a similar method for how the key parameter is used to decrypt the ransom note. Additionally, the emergence of Cicada3301 occurred around the same time ALPHV appeared to dissolve. Based on these findings, Hawkeye states it is possible that Cicada3301 is either an ALPHV rebrand, a partnership with ALPHV’s developers, or an unaffiliated group using modified ALPHV code.
Cicada3301 has been observed targeting small to medium sized businesses (SMBs) in the construction, IT, legal services, retail, healthcare, transportation, telecommunications, hospitality, finance, real estate, and manufacturing sectors. Targets have primarily been in the US, Europe, and Singapore.
IOCs
PolySwarm has multiple samples of Cicada3301.
7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e
dd98133b825a1632879b689b864b15a66741208343bc8ba080354e0133181d69
2d614f088f486f0870b3839ddb361e33efb73526a0a585f691874039f23171cc
You can use the following CLI command to search for all Cicada3301 samples in our portal:
$ polyswarm link list -f Cicada3301
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.