Emerging RaaS group Cicada3301 identified with suspected links to ALPHV/BlackCat

Cybersecurity researchers have identified a new ransomware-as-a-service (RaaS) operation named Cicada3301, which is believed to share connections with the now-defunct ALPHV/BlackCat ransomware group. According to a report by cybersecurity firm Truesec, Cicada3301 exhibits similarities in attack methods and code structures with ALPHV, raising concerns about the possible resurgence of tactics used by the older group.

Truesec first detected Cicada3301 in June 2024, with the group listing four initial victims on their blog. Since then, the number of victims has grown, indicating an escalating threat. Cicada3301 operates as a traditional RaaS group, offering a platform for double extortion by combining ransomware encryption with a data leak site to coerce victims into paying a ransom.

Cicada3301 began recruiting affiliates on 29 June 2024 through a post on the RAMP cybercrime forum. However, evidence suggests that the group had initiated attacks as early as 6 June 2024, before the official recruitment drive.

The ransomware in Rust targets Windows and Linux VMware ESXi hosts. Truesec’s analysis highlighted that Cicada3301’s ESXi encryptor shares several similarities with ALPHV/BlackCat ransomware, including the use of the ChaCha20 encryption algorithm and identical commands for shutting down virtual machines and removing snapshots.

Truesec’s investigation also uncovered potential links between Cicada3301 and the Brutus botnet, which is used to gain initial access to corporate networks. The Brutus botnet has been associated with widespread password-guessing campaigns targeting VPN solutions from vendors like Cisco, Fortinet, Palo Alto, and SonicWall. Notably, the Brutus botnet became active around the time ALPHV ceased operations in March 2024, suggesting possible collaboration or overlap in tactics between the two groups.

Cicada3301’s initial attack vector involved using valid credentials, either stolen or brute-forced, to access systems via ScreenConnect. The IP address 91.92.249.203, tied to the Brutus botnet, was used in these attacks, indicating a possible connection between the ransomware group and the botnet operators.

There are several theories regarding the origins of Cicada3301. One possibility is that members of the ALPHV group have rebranded themselves as Cicada3301 and collaborated with the Brutus botnet to adapt their ransomware and gain access to victims. Another theory suggests that a different cybercriminal group may have acquired and modified the ALPHV code for their purposes, especially since the ALPHV group had announced the sale of their source code for $5 million when they shut down.