Scientists Reveal Cicada3301 Ransomware Operations and Its Partner Program
Cybersecurity experts have discovered more details about a new ransomware-as-a-service (RaaS) known as Cicada3301 after accessing the group’s affiliate platform on the dark web.
Singapore-based Group-IB stated that they reached out to the threat actor behind the Cicada3301 alias on the RAMP cybercrime forum through the Tox messaging service following an advertisement seeking new participants for its partner initiative.
“The Affiliates’ panel of Cicada3301 ransomware group included segments such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out,” researchers Nikolay Kichatov and Sharmine Low mentioned in a new report released today.
Cicada3301 initially emerged in June 2024, with cybersecurity professionals identifying significant source code resemblances with the now-defunct BlackCat ransomware group. The RaaS program is believed to have infiltrated at least 30 entities in crucial sectors, mainly in the U.S. and the U.K.
The Rust-based ransomware is compatible with multiple platforms, enabling partners to target devices using Windows, Linux distributions such as Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64, and PowerPC64LE.
Similar to other ransomware variations, Cicada3301 attacks can fully or partially encrypt files, after impeding virtual machines, hindering system restoration, stopping processes and services, and erasing shadow copies. It also possesses the capability to encrypt network shares for maximum effect.
“Cicada3301 operates an affiliate program recruiting penetration testers (pentesters) and access brokers, offering a 20% share, and providing a web-based interface with extensive features for affiliates,” the researchers pointed out.
A brief overview of the various sections is outlined below –
- Dashboard – A summary of successful or unsuccessful affiliate logins, and the number of targeted companies
- News – Updates on product features and news related to the Cicada3301 ransomware program
- Companies – Options to add victims (e.g., company details, ransom amount requested, discount deadline, etc.) and generate Cicada3301 ransomware versions
- Chat Companies – A platform for communicating and bargaining with victims
- Chat Support – A channel for affiliates to interact with representatives of the Cicada3301 ransomware group for issue resolution
- Account – Section dedicated to managing affiliate accounts and resetting passwords
- FAQ – Information on regulations and guidelines for victim creation in the “Companies” section, configuring the builder, and executing the ransomware on different OS
“The Cicada3301 ransomware group has swiftly emerged as a notable menace in the ransomware ecosystem, owing to its sophisticated operations and advanced tools,” the researchers highlighted.
“By utilizing ChaCha20 + RSA encryption and furnishing a customizable affiliate panel, Cicada3301 empowers its partners to carry out highly specific attacks. Their technique of extracting data before encryption imposes additional pressure on victims, while the ability to stop virtual machines amplifies the impact of their assaults.”
About Author
