A new Ransomware-as-a-Service (RaaS) group calling themselves Cicada3301 emerged in early June 2024 and has been using recruitment posts in dark web forums to attract new affiliates. As with many of the current active RaaS organizations, Cicada3301 uses double extortion, encrypting victim systems and stealing sensitive data. They have a data leak site (DLS) on the dark web where they have been posting victims since mid-June. The group has been observed encrypting Linux/VMware ESXi in addition to Windows operating systems.
Similarities with ALPHV/BlackCat
A recent analysis of Cicada3301’s ransomware conducted by cyber researchers discovered several significant code overlaps with the ransomware used by ALPHV, the prolific threat group who was targeted by law enforcement earlier this year and subsequently shut down their RaaS. According to researchers from Truesec, Cicada3301 and ALPHV ransomware similarities include:
- Written in Rust programming language
- Use the ChaCha20 algorithm for encryption
- Use almost identical commands to shutdown VM and remove snapshots
- Use the same command parameters to provide a graphic output on encryption
- Use intermittent encryptions on files larger than 100MB
- Use a similar naming convention for the ransom note file and the same key parameter used to decrypt the ransomware note
In addition to the code overlaps, Arete has also observed similarities in the format and design of the Tor chats Cicada3301 uses to communicate ransom payments to its victims. Like the Tor chats ALPHV used, Cicada3301’s has a similar layout, with certain words bolded in the instructions, a countdown timer, two prices listed based on whether the victim pays within the time limit posted, and payments are accepted in both Bitcoin and Monero.
Will the Real Cicada Please Stand Up?
This new ransomware group also appears to have taken their name from Cicada 3301, which was an unknown group who posted elaborate puzzles on the internet between 2012 and 2014. Solving the puzzles required knowledge of computer science and data security concepts such as coding, cryptography, and encryption. The last puzzle posted by the group was in early 2014 and has still not been solved. Although the purpose of the puzzles, and individuals who created them remains a mystery, there is no indication that this current ransomware group has any association with the original Cicada 3301. This wouldn’t be the first time a threat actor has used the name, as an unrelated group of hackers operating in 2015 also called themselves 3301.
Analyst Comments
At this time, it is too early to assess whether the similarities between the two groups are coincidental, or if there is a connection in the form of a rebranding of ALPHV, a new group working with former developers from ALPHV, or if ALPHV’s ransomware code was sold after the RaaS shut down its operations earlier this year. Following ALPHV’s exit scam and departure from the ransomware landscape, it was assumed members of the RaaS would rebrand or re-affiliate with other threat groups, so any of these connections are plausible. However, with 24 victims already posted to its DLS in less than three months, Cicada3301 already appears to be an emerging threat in the near-term, regardless of who is ultimately behind the new RaaS.
Related Resources
![]()
Iranian Hackers Working with Ransomware Groups
An Iranian threat group linked to the GOI collaborates with ransomware affiliates, aiding network access and extortion for a ransom share.
Read more![]()
Automotive Industry Faces Increased Cyberattacks
Recent ransomware attacks have severely impacted the automotive industry, disrupting car and parts availability, dealership operations, and global economies.
Read more![]()
FIN7 Return Drives Increase in Cl0p Ransomware Attacks
FIN7 resumed operations in April 2024, fueling a rise in Cl0p ransomware attacks. Their partnership poses a heightened threat, using malvertising and trojans to target victims.
Read more
