A new ransomware group, Cicada3301, has emerged as a significant threat since its discovery in June 2024, targeting businesses in critical sectors across the US and UK.
In just three months, the group has reportedly published data from 30 companies on their dedicated leak sites, underscoring the severity of the threat.
Multi-Platform Ransomware and Advanced Encryption
A recent analysis by Group-IB revealed that Cicada3301's ransomware is written in Rust, allowing it to function across multiple platforms, including Windows, Linux, ESXi and even less common architectures like PowerPC.
The ransomware employs advanced encryption techniques, using ChaCha20 and RSA encryption with configurable modes – Full, Fast and Auto.
This flexibility allows for varying levels of encryption based on file sizes and extensions, optimizing the ransomware's impact.
Cicada3301's Sophisticated Affiliate Program
One of the standout aspects of Cicada3301 is its sophisticated affiliate program, recruiting penetration testers and access brokers.
Affiliates are offered a 20% commission on ransom payouts and gain access to a web-based panel that provides extensive tools for customizing attacks.
The web panel allows affiliates to generate ransomware samples, create ransom notes and manage negotiations with victims.
The affiliate program includes:
- Recruitment of penetration testers and access brokers
- A web interface for generating lockers and ransom notes
- Communication channels for negotiating ransom payments
Read more on ransomware-as-a-service (RaaS) groups: Ransomware: The Key Updates You Need to Know
Aggressive Tactics and Operational Control
Cicada3301 employs aggressive tactics designed to cause maximum disruption.
Its ransomware is capable of shutting down virtual machines, terminating critical services and deleting shadow copies, all while avoiding detection.
The web panel gives affiliates granular control over their attacks, from choosing encryption settings to configuring ransom demands.
As Cicada3301 continues to rise, organizations must prioritize multi-factor authentication, early detection, proper backup strategies and regular patching to mitigate the risks posed by such advanced ransomware groups.