Cybersecurity researchers have made significant progress in understanding the workings of a new ransomware-as-a-service (RaaS) known as Cicada3301 after gaining access to the group’s affiliate panel on the dark web. The Singapore-based Group-IB reached out to the threat actor posing as Cicada3301 on the RAMP cybercrime forum through the Tox messaging service following an advertisement seeking new partners for its affiliate program.
In their analysis released recently, researchers Nikolay Kichatov and Sharmine Low detailed the contents of the Affiliates’ panel within Cicada3301’s dashboard, which included various sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out. This insight provided by Group-IB sheds light on the inner workings of the ransomware group and its operations.
The emergence of Cicada3301 was first noticed in June 2024, where cybersecurity experts uncovered striking similarities in the source code between Cicada3301 and the now-defunct BlackCat ransomware group. This RaaS scheme has reportedly targeted at least 30 organizations in critical sectors, predominantly in the U.S. and the U.K.
The Rust-based Cicada3301 ransomware is unique in its cross-platform capabilities, enabling affiliates to target a wide range of devices running various operating systems, including Windows and numerous Linux distributions. The ransomware is designed to encrypt files fully or partially, while also causing disruptions such as shutting down virtual machines, hindering system recovery, terminating processes, services, and deleting shadow copies. Additionally, it has the ability to encrypt network shares to maximize its impact.
One notable aspect of Cicada3301 is its affiliate program, which recruits penetration testers (pentesters) and access brokers, offering a 20% commission for successful attacks. Affiliates are provided with a web-based panel equipped with comprehensive features to carry out targeted attacks effectively.
The various sections within the affiliate panel serve specific functions such as providing an overview of login attempts and the number of companies attacked, sharing product updates, adding victims and creating ransomware builds, communicating with victims and support representatives, managing affiliate accounts, and offering guidance on executing ransomware on different operating systems.
Overall, Cicada3301 is considered a significant threat in the ransomware landscape due to its advanced tooling and sophisticated operations. The use of ChaCha20 + RSA encryption, along with customizable features in the affiliate panel, allows affiliates to conduct precise and impactful attacks. By exfiltrating data before encryption and the ability to halt virtual machines, Cicada3301 puts additional pressure on victims, amplifying the impact of their attacks.
The insights provided by Group-IB shed light on the inner workings of Cicada3301 and highlight the growing sophistication and impact of ransomware attacks in the cybersecurity landscape. As ransomware threats continue to evolve, it becomes imperative for organizations and individuals to stay vigilant and adopt robust cybersecurity measures to defend against such malicious activities.