Security Researchers Uncover Cicada3301 Ransomware Operations and Affiliate Program

• Cicada3301 Ransomware’s operation details were unveiled by security researchers.
• The security analysis also details the threat actor’s Ransomware-as-a-Service program.
• Windows, Linux, ESXi, and PowerPC variants of the ransomware went under the microscope as well.

The Cicada3301 Ransomware-as-a-Service (RaaS) group's operations and their affiliates' workflow were discovered by security researchers at Group-IB, who also examined the Windows, Linux, ESXi, and PowerPC variants of the ransomware in a new analysis. 

Group-IB's research provides an unprecedented look into the workings of Cicada3301's affiliate panel.  While the “original” Cicada 3301 emerged in 2012, the new Cicada3301 ransomware-as-a-service (RaaS) group was discovered in June 2024. 

This threat actor has been implicated in a series of attacks targeting critical sectors, primarily in the United States and the United Kingdom. Over a span of four months, they published data from 30 companies on their dedicated leak sites, with 24 victims reported.

Cicada3301 is notable for its use of a sophisticated affiliate program that recruits penetration testers and access brokers. Affiliates are promised a 20% commission and gain access to a comprehensive web-based panel that includes advanced features for orchestrating attacks. 

The ransomware itself is developed in Rust and supports a wide range of platforms, including Windows, Linux, ESXi, and NAS. It also extends to less common architectures, such as PowerPC, showcasing the group's technical prowess. 

Designed for maximum disruption, it employs ChaCha20 and RSA encryption, allowing for configurable modes—Full, Fast, and Auto—to balance speed and impact. The ransomware can shut down virtual machines, terminate processes, delete shadow copies, and encrypt network shares.

This comes after the group claimed that they no longer handle private decryption keys on their server, an adjustment following the Europol-led Operation Cronos against the LockBit ransomware group, which allowed victims to access decryptors for free, without ransom payments.