Cicada3301 ransomware affiliate program infiltrated by security researchers

The Cicada3301 ransomware-as-a-service (RaaS) group had its associates program infiltrated by Group-IB researchers, who printed new particulars in regards to the gang’s affiliate panel and ransomware strains in a report printed Thursday.

Cicada3301 first started recruiting associates in late June 2024, and has since claimed at the very least 30 victims, principally in america and United Kingdom. The group gained consideration in September attributable to analyses that discovered a number of similarities between Cicada3301’s ransomware and that of the defunct ALPHV/BlackCat ransomware gang.  

Whereas it’s nonetheless unclear if Cicada3301 is an ALPHV/BlackCat rebrand or if the group bought ALPHV/BlackCat’s supply code when it was put up on the market earlier this yr, Group-IB’s report additionally mentions “very sturdy similarities” with key variations together with a lot fewer command line choices, variations in entry key use, no embedded configuration and slight variations in ransom be aware naming conference.

The report additionally offered an in depth overview of the options accessible to Cicada3301 associates through the affiliate panel, together with the flexibility to simply handle sufferer corporations and customise assaults for every sufferer.

Cicada3301’s affiliate panel uncovered

The online interface of the Cicada3301 affiliate panel is accessible solely through Tor, and the principle affiliate dashboard shows an summary of profitable and failed login makes an attempt, fingerprint particulars and a chart of corporations the affiliate has focused, Group-IB revealed. The dashboard sidebar provides entry to different sections together with Information, Firms, Chat Firms and Chat Help.

The Information part contains launch notes for the Cicada3301 ransomware and different updates in regards to the group and its associates program, exhibiting numerous bug fixes and have optimizations on June 13, 2024, a brand new file server for associates to add exfiltrated knowledge on June 15, 2024, and the introduction of a name middle on June 18, 2024.

The Firms part is the place associates can start planning, documenting and organizing their assaults towards sufferer corporations, with the “Create firm” operate permitting the affiliate so as to add the sufferer’s title, ransom demand worth, low cost worth and low cost expiration time earlier than additional organizing their assault with customized ransomware samples and ransomware notes.

Associates can configure the ransomware utilized in every assault to vary the encryption sort between “quick,” “full” and “auto” encryption strategies, the kind of sufferer touchdown web page to create (encryption and knowledge leak, or knowledge leak solely), particular digital machine exclusions and Home windows credentials used for impersonation and entry.

The Chat Firms part opens up an interface to talk with victims to barter ransom funds and Chat Help opens up a separate interface for chatting with Cicada3301 representatives for assist points. Associates may use this interface to request to contact victims through cellphone name by means of the aforementioned name middle service.

The dashboard additionally contains an Account part for associates to reset the password they use to entry their affiliate panel in addition to an FAQ with extra details about the Cicada3301 ransomware and associates program.

The ransomware is written in Rust, makes use of ChaCha20 and RSA for encryption and is offered for Home windows ranging from Home windows 7, Linux, ESXi, NAS and PowerPC techniques. The PowerPC model is exclusive, as PowerPC is an older laptop infrastructure that’s hardly ever utilized in trendy techniques, aside from older Mac computer systems and different particular legacy techniques, Group-IB famous.

The Cicada3301 makes use of a thread pool of fifty threads to effectively encrypt quite a few information in parallel, and performs a number of actions to evade detection and inhibit restoration, reminiscent of disabling safety processes and digital machines, and deleting shadow copies and backups.  

Group-IB’s investigation discovered that the fee charge for associates is 20% of the ransom fee quantity and that Cicada3301 prohibits attacking nations within the Commonwealth of Unbiased States (CIS), which incorporates Russia, Belarus, Moldova, Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan. Cicada3301 seems to make use of each Russian and English in its communications, with the Information part of the dashboard being fully in Russian.

“The emergence of Cicada3301 underscores the evolving threats organizations face from ransomware teams which might be more and more skilled, resourceful, and daring. It highlights the pressing want for organizations to bolster their cybersecurity measures, interact in proactive menace intelligence, and undertake a multi-layered protection technique to guard towards such superior adversaries,” Group-IB concluded.