Security researchers at Trusec recently discovered a new ransomware-as-a-service group called Cicada3301. The group offers a platform for double extortion, including both ransomware and data leak aspects. According to a research report, Cicada3301 first emerged in June 2024 and specializes in targeting Windows and Linux ESXi hosts.
In their analysis, security researchers found similarities between Cicada3301 and the now-defunct cyber gang AlphV (also known as BlackCat): “Both ransomware are written in Rust, both use ChaCha20 for encryption. Additionally, the commands for shutting down VMs and removing snapshots are nearly identical, and both use a -ui parameter to display a graphic during encryption.”
In the specific attack investigated by the researchers, the hackers used valid login credentials for ScreenConnect for the initial breach. The IP address of the criminals was linked to a botnet called “Brutus.” According to the report, Brutus is associated with a larger credential stuffing campaign on various VPN programs, including ScreenConnect.
Cicada3301’s emergence adds to the growing concern over the rise of ransomware groups leveraging sophisticated tactics and techniques to target organizations and individuals. The group’s focus on double extortion signals a shift in the ransomware landscape, as threat actors increasingly seek to maximize their profits by not only encrypting data but also threatening to leak sensitive information.
The use of Rust for ransomware development is also noteworthy, as it underscores the evolving nature of ransomware attacks and the adaptability of cybercriminals in responding to security measures implemented by organizations and law enforcement agencies. By utilizing encryption algorithms like ChaCha20, these ransomware groups aim to make it more challenging for victims to recover their data without paying the ransom.
The connection between Cicada3301 and AlphV highlights the interconnected nature of the cybercriminal ecosystem, where tactics, techniques, and tools are often shared and reused among different threat actor groups. The similarities in code, encryption methods, and operational tactics suggest a potential link or shared resources between the two groups, further emphasizing the need for collaborative efforts among security researchers, law enforcement agencies, and cybersecurity professionals to combat such threats effectively.
The use of valid login credentials for the initial access in the Cicada3301 attack serves as a reminder of the importance of implementing robust authentication mechanisms, multi-factor authentication, and access controls to prevent unauthorized access to sensitive systems and data. Credential stuffing attacks, like the one involving the Brutus botnet, highlight the ongoing challenges organizations face in defending against credential-based threats and the need for continuous monitoring and proactive security measures to detect and mitigate such risks.
Overall, the discovery of Cicada3301 underscores the relentless and evolving nature of ransomware threats, as cybercriminals continue to innovate and adapt their tactics to bypass security defenses and maximize their financial gains. As organizations and individuals alike navigate the complex cybersecurity landscape, it is crucial to stay vigilant, proactive, and informed about emerging threats like Cicada3301 to effectively mitigate risks and protect against potential ransomware attacks.