Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Cicada3301 (Ransomware Group) – Threat Actor

February 16, 2025
Reading Time: 4 mins read
in Ransomware Group, Threat Actors
Cicada3301 (Ransomware Group) – Threat Actor

Cicada3301

Other Names

Repellent Scorpius

Date of Initial Activity

2024

Suspected Attribution 

Ransomware Group

Motivation

Financial Gain
Extortion

Software

Windows
Linux
ESXi

Overview

Cicada3301 is a new and emerging ransomware group that first appeared in June 2024, gaining attention for its unique approach to cybercrime. The group’s name appears to be an homage to the famous cryptography challenge Cicada 3301, which intrigued many internet users years ago, though no direct ties have been established between the two. Since its first appearance, Cicada3301 has made its presence felt in the cybersecurity landscape by posting victims on a public blog, marking a clear shift towards a ransomware-as-a-service (RaaS) model. This indicates that Cicada3301 is not just a standalone threat actor, but one that facilitates other cybercriminals in executing their ransomware attacks. Cicada3301 operates using a dual-extortion strategy, offering a platform to affiliates for not only encrypting data but also leaking sensitive information. This model, popularized by other ransomware groups, significantly increases the pressure on victims by adding an extra layer of threat. Cicada3301’s ransomware is written in the Rust programming language, a choice that has become increasingly popular among cybercriminals due to its efficiency and security features. Interestingly, Cicada3301’s tactics, techniques, and procedures (TTPs) bear significant similarities to those of the now-defunct BlackCat/ALPHV group, suggesting a possible connection between the two.

Common targets

Individuals

Information

Attack Vectors

Credential-Based Attacks

How they operate

The ransomware deployed by Cicada3301 is versatile, supporting both Windows and Linux/ESXi systems. The group’s focus on Linux and ESXi environments marks a shift in the evolving threat landscape, where ransomware previously focused predominantly on Windows environments. Their ransomware leverages ChaCha20, a stream cipher known for its speed and security, to encrypt data, making decryption extremely challenging without the proper key. This strong encryption method ensures that victims are left with little to no chance of recovering their data without paying the ransom. The ransomware’s modular structure allows it to adapt to different systems, making it a powerful tool for various targets. One of the key features of Cicada3301’s ransomware is its use of a “double extortion” model. This technique not only encrypts files but also threatens to leak sensitive data unless the ransom is paid. The group’s data leak site is an integral part of their operation, serving as a mechanism to publicly shame victims and increase pressure on them to comply with the ransom demand. This model amplifies the effectiveness of their attacks, as it capitalizes on the fear of sensitive information being exposed to the public. Additionally, Cicada3301’s ransomware includes specific commands to shut down virtual machines and remove snapshots, ensuring that the ransomware spreads rapidly and effectively in virtualized environments. In terms of execution, Cicada3301’s initial access is often facilitated through the Brutus botnet, a network of compromised systems that allows the group to brute-force or steal credentials for remote access tools like ScreenConnect. This botnet provides the group with an entry point into their victims’ networks, where they can deploy ransomware and begin their extortion tactics. The group’s use of the Brutus botnet, which has been active since March 2024, suggests a high level of coordination and sophistication in their operations, allowing them to gain access to high-value targets quickly and efficiently. The group’s technical sophistication is evident in their ransomware’s ability to integrate with different attack vectors, such as exploiting vulnerabilities and leveraging botnets for initial access. By utilizing these techniques, Cicada3301 ensures that its operations remain flexible, scalable, and capable of targeting a wide range of organizations. Although their methods show some resemblance to the now-defunct BlackCat/ALPHV ransomware group, Cicada3301’s ability to modify and adapt their tools demonstrates their capacity for innovation within the ransomware-as-a-service landscape. With their continued focus on expanding their reach and refining their tools, Cicada3301 is likely to remain a significant threat in the cybercriminal ecosystem for the foreseeable future.  
References:
  • Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
  • Dissecting the Cicada
Tags: ALPHVBlackCatCicada3301cryptographyESXiLinuxRansomwareRepellent ScorpiusThreat ActorsWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial