CICADA3301 Ransomware Affiliate Program Infiltrated by Security Researchers
Summary:
Group-IB researchers successfully infiltrated the Cicada3301 ransomware-as-a-service group, uncovering significant details about its operations and affiliate panel. Cicada3301, which started recruiting affiliates in June 2024, has targeted approximately 30 victims, primarily in the U.S. and U.K. The group garnered attention due to its ransomware’s similarities to the ALPHV/BlackCat gang, though it remains unclear whether Cicada3301 is a rebranding or if they purchased ALPHV/BlackCat’s source code after it was put up for sale. While both ransomware families share many traits, key differences include fewer command line options, variations in access key usage, and differences in ransom note conventions.
The affiliate panel, accessible via Tor, provides affiliates with a dashboard displaying login activity and an overview of targeted companies. Affiliates can use the panel’s News, Companies, Chat Companies, and Chat Support sections to manage ransomware operations. The News section includes updates and feature optimizations, such as a new file server for data exfiltration and the addition of a call center for negotiating ransoms over the phone. The Companies section allows affiliates to create and organize attacks by setting ransom amounts, creating custom ransomware samples, and configuring encryption methods. Affiliates can choose between fast, full, or automatic encryption and configure victim landing pages to either display both encryption and data leak notices or just data leak notifications. Additional features include setting virtual machine exclusions and specifying Windows credentials for access.
Security Officer Comments:
Cicada3301's ransomware, written in Rust, uses ChaCha20 and RSA encryption, targeting Windows, Linux, ESXi, NAS, and PowerPC systems. The inclusion of PowerPC support is particularly notable, as this older infrastructure is rarely seen in modern systems. The ransomware utilizes a pool of 50 threads to encrypt files in parallel, increasing efficiency. It also employs several evasion techniques, including disabling security processes, shutting down virtual machines, and deleting backups to make recovery more difficult. The group pays its affiliates a 20% commission on ransom payments, and, like many ransomware groups, prohibits attacks on Commonwealth of Independent States (CIS) countries, which include Russia, Belarus, and others. The News section of the affiliate panel is written in Russian, suggesting Russian origins or affiliations, although both Russian and English are used for communication.
Suggested Corrections:
Researchers at Group IB recommend the following to defend against the Cicada3301 ransomware group:
Link(s):
https://www.scworld.com/news/cicada...e-program-infiltrated-by-security-researchers
https://www.group-ib.com/blog/cicada3301/
Group-IB researchers successfully infiltrated the Cicada3301 ransomware-as-a-service group, uncovering significant details about its operations and affiliate panel. Cicada3301, which started recruiting affiliates in June 2024, has targeted approximately 30 victims, primarily in the U.S. and U.K. The group garnered attention due to its ransomware’s similarities to the ALPHV/BlackCat gang, though it remains unclear whether Cicada3301 is a rebranding or if they purchased ALPHV/BlackCat’s source code after it was put up for sale. While both ransomware families share many traits, key differences include fewer command line options, variations in access key usage, and differences in ransom note conventions.
The affiliate panel, accessible via Tor, provides affiliates with a dashboard displaying login activity and an overview of targeted companies. Affiliates can use the panel’s News, Companies, Chat Companies, and Chat Support sections to manage ransomware operations. The News section includes updates and feature optimizations, such as a new file server for data exfiltration and the addition of a call center for negotiating ransoms over the phone. The Companies section allows affiliates to create and organize attacks by setting ransom amounts, creating custom ransomware samples, and configuring encryption methods. Affiliates can choose between fast, full, or automatic encryption and configure victim landing pages to either display both encryption and data leak notices or just data leak notifications. Additional features include setting virtual machine exclusions and specifying Windows credentials for access.
Security Officer Comments:
Cicada3301's ransomware, written in Rust, uses ChaCha20 and RSA encryption, targeting Windows, Linux, ESXi, NAS, and PowerPC systems. The inclusion of PowerPC support is particularly notable, as this older infrastructure is rarely seen in modern systems. The ransomware utilizes a pool of 50 threads to encrypt files in parallel, increasing efficiency. It also employs several evasion techniques, including disabling security processes, shutting down virtual machines, and deleting backups to make recovery more difficult. The group pays its affiliates a 20% commission on ransom payments, and, like many ransomware groups, prohibits attacks on Commonwealth of Independent States (CIS) countries, which include Russia, Belarus, and others. The News section of the affiliate panel is written in Russian, suggesting Russian origins or affiliations, although both Russian and English are used for communication.
Suggested Corrections:
Researchers at Group IB recommend the following to defend against the Cicada3301 ransomware group:
- Add more layers of security: Multi-factor authentication (MFA) and credential-based access solutions help businesses secure their critical assets and high-risk users, making it harder for attackers to be successful.
- Stop ransomware with early detection: Leverage the behavioral detection capabilities of the Endpoint Detection and Response (EDR) solution to help identify ransomware indicators across your managed endpoints, promptly alerting your teams to any suspicious activity for further scrutiny. This proactive approach enables agile detection, investigation and remediation of both known and unknown threats on your endpoints.
- Have a backup strategy: Data backup processes should be conducted regularly as they reduce damage and help organizations avoid data loss following ransomware attacks.
- Leverage an advanced malware detonation solution:Organizations should leverage AI-infused, advanced analytics-based solutions to detect intrusions in real time.
- gain insights into the unique Tactics, Techniques, and Procedures (TTPs) used by Advanced Persistent Threats (APTs) and other cybercriminal groups and pivot their security strategies accordingly; and
- enable multi-layered cybersecurity (endpoint, email, web, and network) through automated threat detection and response.
- Patch it up: The longer a vulnerability remains unpatched, the greater the risk that it will be exploited by cybercriminals. Security patches should therefore be prioritized, and organizations should also set up a process to regularly review and apply patches as they become available.
- Train your employees: The human factor remains one of the greatest vulnerabilities in cybersecurity. Educate employees about the risks relating to the organization’s network, assets, devices, and infrastructure. Organizations should conduct training programs and security drills to help employees identify and report the tell-tale signs of cybercrime (e.g. phishing emails).
- Control vulnerabilities: Do not turn a blind eye to emerging vulnerabilities. Checking your infrastructure annually with a technical audit or security assessment is not only a good habit, it also adds a much-needed layer of protection. Infrastructural integrity and digital hygiene processes should be monitored continually.
Link(s):
https://www.scworld.com/news/cicada...e-program-infiltrated-by-security-researchers
https://www.group-ib.com/blog/cicada3301/