Cybersecurity researchers have identified a new ransomware-as-a-service (RaaS) operation named Cicada3301. According to cybersecurity firm Truesec, which has analysed the ransomware, Cicada3301 may have links to the now-defunct ALPHV/BlackCat ransomware group. Both groups share similar methods of attack and code structures.

Truesec first observed the Cicada3301 ransomware group in June 2024, initially listing four victims on their victim blog. Since then, the number of victims listed has increased. Reports indicate that Cicada3301 operates as a traditional ransomware-as-a-service group, providing a platform for double extortion by using both ransomware encryption and a data leak site to pressure victims into paying a ransom.

Cicada3301 101

The group began actively recruiting affiliates on 29 June 2024 through a post on the RAMP cybercrime forum. However, there are indications that Cicada attacks were happening as early as 6 June 2024, before they started recruiting affiliates.

The Cicada3301 ransomware is written in Rust and targets both Windows and Linux VMware ESXi hosts. Truesec’s report focuses particularly on the ransomware’s ESXi encryptor and notes several similarities with the ALPHV/BlackCat ransomware.

Both ransomware strains utilise the ChaCha20 encryption algorithm, employ almost identical commands to shut down virtual machines and remove snapshots, and share similar file-naming conventions and methods for decrypting ransom notes.

Truesec’s investigation also points to a potential connection between Cicada3301 and the Brutus botnet, which is used to gain initial access to corporate networks. The Brutus botnet has been linked to widespread campaigns of password guessing against various VPN solutions, including Cisco, Fortinet, Palo Alto, and SonicWall. The botnet became active around the time that ALPHV ceased operations in March 2024, suggesting a possible overlap or collaboration between the two groups.

The initial attack vector for Cicada3301 involved the use of valid credentials, either stolen or brute-forced, to log in via ScreenConnect. The IP address 91.92.249.203, used in these attacks, is associated with the Brutus botnet. The use of this IP address shortly before the ransomware attacks began suggests a possible relationship between Cicada3301 and the Brutus botnet operators, or that both groups could be using similar tactics independently.

There are several theories regarding the origins of Cicada3301. One possibility is that some members of the ALPHV group have rebranded themselves as Cicada3301 and teamed up with the Brutus botnet to gain access to potential victims while adapting their ransomware. Another theory is that a different group of cybercriminals obtained the ALPHV code and modified it for their purposes. The ALPHV group had previously announced that the source code for their ransomware was for sale for $5m when they shut down operations.

Cicada3301 connections to Brutus botnet under investigation

Truesec’s technical analysis has shown that the Cicada3301 ransomware is an ELF binary compiled in Rust. This was confirmed by string references to “Rust” and “Cargo,” Rust’s build system and package manager. The ransomware uses various parameters, including those for encryption delays and managing VMware ESXi virtual machines, to maximise its impact on targeted enterprise environments.

The connections between Cicada3301, ALPHV, and the Brutus botnet remain under investigation, and more information may reveal further links or differences between these groups.

In a related development, the US Federal Bureau of Investigation (FBI) recently announced that the RansomHub ransomware group has compromised over 200 victims since its emergence in February 2024. This RaaS group, which was formerly known as Cyclops and Knight, has been involved in attacks targeting a broad range of critical infrastructure sectors throughout the US.

Written by Swagath Bandhakavi

Read more: CrowdStrike lowers forecasts as Windows outage hampers new deals