Group-IB was able to infiltrate the ransomware-as-a-service group Cicada, gaining access to its affiliate panel to understand its inner workings.
The original Cicada 3301 first emerged in 2012 as a mysterious cryptographic puzzle group. The latest version functions as a ransomware-as-a-service gang, offering a platform for double extortion.
Ransomware-as-a-service is a cybercrime business model where ransomware operators write software that affiliates or threat actors can use while attacking a victim.
Since June and October 2024, the group has stolen and published data from roughly 30 companies on their dedicated leak site with 24 of these victims being from the US and UK.
However, the group's identity remains a mystery, with some theorizing that Cicada3301 is a secret society or a secret recruitment tool for intelligence agencies.
But what we do know is that Group-IB, a cybersecurity company that builds tools to help fight digital crime, has managed to infiltrate the group’s affiliate platform and examine its inner workings.
Here’s what threat intelligence analysts discovered.
What we know
In June 2024, a user by the name of Cicada3301 started an affiliate program for ransomware as a topic on the underground dark web forum RAMP, Group-IB said.
The topic was written in Russian and later translated into English by Group-IB.
The topic said that the group was seeking pen-testers and advertisers. If someone was interested, they’d need to go through a “mini-interview” to be part of the affiliate program.
There were little to no other rules besides the fact that affiliates are banned from “conducting any operations in the countries of the Commonwealth of Independent States (CIS).”
Meaning that Belarus, Russia, Kazakhstan, Armenia, Moldova, Azerbaijan, Kyrgyzstan, Tajikistan, Uzbekistan, and Turkmenistan are strictly off-limits.
Also, access to the affiliate platform should not be shared with anyone who is not already on the panel if it has not been approved previously.
Cybercriminal affiliates would also receive a 20% portion of the total payout from its victims.
Threat analysts noted that Cicada3301 ransomware is very similar to the long-retired but highly infamous BlackCat ransomware, with only four distinct differences.
BlackCat ransomware was a type of malware created by a group of Russian cybercriminals, and considering that Cicada3301 affiliates are prohibited from conducting operations in CIS countries, perhaps there’s a correlation.
According to Cybernew Ransomlooker, the Cicada3301 ransomware group was highly active in June but fizzled out towards August – there have been no reports of ransomware attacks from the group since.
Danger lurks in the locker
A ransomware locker lets a cybercriminal lock a victim’s device. However, this is just one part of a ransomware attack, as once the device is locked and encrypted, the threat actor demands payment.
According to Group-IB’s findings, “the locker is developed in Rust and utilizes ChaCha20 and RSA encryption.”
This combination of the Rust programming language and both ChaCha20 and RSA encryption means that a victim’s data would be mostly or totally encrypted.
ChaCha20 is particularly efficient at encryption, and RSA adds another layer of security. This means that if someone uses this combination, it would be nearly impossible to retrieve your data without a decryption key – which is what a threat actor offers, along with a large ransomware payment.
Also, the locker can be used offline, encrypts at a rate of 15 blocks of 1MB, supports multithreading (which means it can encrypt multiple files at once), features targeted encryption, and much more.
Group-IB’s findings point to this locker being extremely sophisticated and well thought out, which makes it highly dangerous.
Infiltration by Group-IB
Threat intelligence analysts at Group-IB contacted Cicada3301 via Tox, an instant messaging protocol. By messaging, analysts were able to access Cicada3301's affiliate program, where users could access ransomware.
The affiliate panel contained various sections, including the dashboard, news, companies, chat companies, chat support, account, FAQ section, and log-out. So, it’s structured like any other website.
The dashboard showed an overview of the site, successful and unsuccessful logins by the cybercriminal, and a chart showing the number of companies attacked by affiliates.
The news section contained news about the Circada3301 ransomware program, including updates and announced plans for new features.
In the companies section, cybercriminals could log their victims, build samples of the ransomware, and configure these samples, Group-IB said.
There are various other features, including chat support, where cybercriminals can talk with representatives of the ransomware group to sort out problems, an account section, and FAQs, where administrators can answer popular questions.
What’s eerie is that this ransomware-as-a-service group functions like a legal business entity, as do most ransomware gangs.
Your email address will not be published. Required fields are markedmarked