A new ransomware-as-a-service (RaaS) operation named Cicada3301 has emerged, impersonating the legitimate Cicada 3301 organization, which was known for its cryptographic puzzles in the early 2010s. The cybercriminal group has already listed 19 victims on its extortion portal and has rapidly targeted companies worldwide.
Despite using the same name and logo as the original online/real-world game, there is no connection between the two. The legitimate Cicada 3301 organization has publicly condemned the ransomware group's actions, distancing itself from the cybercriminals.
The ransomware operation began recruiting affiliates on the RAMP forum in June 2024, but attacks were observed as early as June 6. Cicada3301 employs double-extortion tactics, breaching corporate networks to steal data before encrypting devices. The stolen data is used as leverage to demand ransom payments.
Research by cybersecurity firm Truesec reveals striking similarities between Cicada3301 and the ALPHV/BlackCat ransomware, including shared encryption methods and system shutdown commands, suggesting a possible rebrand by former ALPHV members. Notably, both operations utilize the Rust programming language and the ChaCha20 encryption algorithm.
Cicada3301 is also linked to the Brutus botnet, known for brute-forcing VPN appliances to gain access to networks, a method seen after ALPHV ceased operations.
Targeting VMware ESXi environments, the ransomware is designed to maximize damage by encrypting virtual machines and removing recovery options.
Its sophisticated methods suggest an experienced group, possibly affiliated with ALPHV, aiming to cause widespread disruption and force victims into paying substantial ransoms.