Cybersecurity researchers have gathered more information about a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group’s affiliate panel on the dark web.
Singapore-headquartered Group-IB said it contacted the threat actor behind the persona Cicada3301 on the RAMP cybercrime forum via the Tox messaging service after the latter posted an ad calling for new partners in its affiliate program.
“The Cicada3301 ransomware group’s affiliate panel dashboard had sections like Control Panel, News, Campaigns, Chat Campaigns, Chat Support, Account, FAQ section questions and “Exit” – researchers Mikalai Kichatov and Sharmin Lowe. said in a new analysis published today.
Cicada3301 was born for the first time in June 2024, the cybersecurity community discovered strong similarities in the source code to the now-defunct BlackCat ransomware group. The RaaS scheme is estimated to have compromised at least 30 organizations in critical sectors, most of them in the US and UK
Based on Rust, the ransomware is cross-platform, allowing branches to target devices running Windows, Linux distributions Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64 and PowerPC64LE .
Like other types of ransomware, attacks involving Cicada3301 have the ability to fully or partially encrypt files, but not before shutting down virtual machines, prohibiting system recovery, stopping processes and services, and deleting shadow copies. It is also capable of encrypting shared network files for maximum impact.
“Cicada3301 is launching an affiliate program recruiting penetration testers (pentesters) and access brokers, offering 20% commissions and providing a web dashboard with extensive affiliate opportunities,” the researchers noted.
A summary of the various sections is as follows –
- Dashboard – Overview of successful and unsuccessful logins by partners, as well as the number of attacked companies
- News – Information about Cicada3301 ransomware product updates and news
- Companies – Provides options for adding victims (such as company name, ransom amount required, discount expiration date, etc.) and creating Cicada3301 ransomware builds
- Chat companies – Interface for communication and negotiation with victims
- Chat support – Interface for affiliates to communicate with representatives of the Cicada3301 ransomware group to resolve issues
- Account – Section dedicated to managing partner accounts and resetting their passwords
- FAQ – Provides detailed information on the rules and instructions for creating victims in the Campaigns section, configuring the builder, and steps to run ransomware on various operating systems
“The Cicada3301 ransomware group has quickly established itself as a significant threat in the ransomware landscape due to its sophisticated operations and sophisticated tools,” the researchers said.
“Using ChaCha20 + RSA encryption and offering a customizable partner panel, Cicada3301 allows its partners to perform highly targeted attacks. Their approach of stealing data before encryption creates an additional layer of pressure on victims, while the ability to shut down virtual machines increases the impact of their attacks.”
