Man
Professional
- Messages
- 3,093
- Reaction score
- 634
- Points
- 113
Researchers at Singapore-based Group-IB have uncovered a nascent RaaS called Cicada3301 after successfully gaining access to the group's darknet affiliate panel.
Group-IB managed to get in touch with a hacker under the pseudonym Cicada3301 on the RAMP forum through the Tox messaging service after the gang placed an advertisement inviting new partners to join in its affiliate program.
Cicada3301 has launched an affiliate program to recruit penetration testers (pentesters) and access brokers, offering a 20% commission and providing a web dashboard with extensive features.
The toolbar of the operators of the Cicada3301 ransomware gang contained sections such as dashboard, news, companies, company chat, support chat, account, FAQ section, and logout.
Cicada3301 first came to light in June 2024 when the infosec community discovered strong similarities between the source code and the now-defunct BlackCat
ransomware group The RaaS scheme is estimated to have compromised at least 30 organizations in critical sectors, most of which are in the US and UK.
The Rust-based ransomware is cross-platform and allows its operators to attack devices running Windows, Linux, Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64, and PowerPC64LE.
Like other ransomware strains, attacks involving Cicada3301 are capable of encrypting files in whole or in part, but not before shutting down virtual machines, blocking system recovery, shutting down processes and services, and deleting shadow copies.
The strain is also capable of encrypting network resources for maximum impact. All of this has allowed Cicada3301 to quickly establish itself as a serious threat in the ransomware space, thanks to its sophisticated operations and advanced tools.
Using ChaCha20 + RSA encryption with customizable modes and offering a customizable affiliate panel, Cicada3301 provides its operators with effective targeted attacks.
At the same time, a double-extortion scheme with data extraction before encryption adds an additional layer of pressure to victims, while the ability to block virtual machines increases the impact of their attacks.
Technical details, IOCs and recommendations are in the report: https://www.group-ib.com/blog/cicada3301/
Group-IB managed to get in touch with a hacker under the pseudonym Cicada3301 on the RAMP forum through the Tox messaging service after the gang placed an advertisement inviting new partners to join in its affiliate program.
Cicada3301 has launched an affiliate program to recruit penetration testers (pentesters) and access brokers, offering a 20% commission and providing a web dashboard with extensive features.
The toolbar of the operators of the Cicada3301 ransomware gang contained sections such as dashboard, news, companies, company chat, support chat, account, FAQ section, and logout.
Cicada3301 first came to light in June 2024 when the infosec community discovered strong similarities between the source code and the now-defunct BlackCat
ransomware group The RaaS scheme is estimated to have compromised at least 30 organizations in critical sectors, most of which are in the US and UK.
The Rust-based ransomware is cross-platform and allows its operators to attack devices running Windows, Linux, Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64, and PowerPC64LE.
Like other ransomware strains, attacks involving Cicada3301 are capable of encrypting files in whole or in part, but not before shutting down virtual machines, blocking system recovery, shutting down processes and services, and deleting shadow copies.
The strain is also capable of encrypting network resources for maximum impact. All of this has allowed Cicada3301 to quickly establish itself as a serious threat in the ransomware space, thanks to its sophisticated operations and advanced tools.
Using ChaCha20 + RSA encryption with customizable modes and offering a customizable affiliate panel, Cicada3301 provides its operators with effective targeted attacks.
At the same time, a double-extortion scheme with data extraction before encryption adds an additional layer of pressure to victims, while the ability to block virtual machines increases the impact of their attacks.
Technical details, IOCs and recommendations are in the report: https://www.group-ib.com/blog/cicada3301/
