The Cicada3301 ransomware-as-a-service (RaaS) group had its affiliate program infiltrated by Group-IB researchers, who published new details about the gang’s affiliate panel and ransomware strains in a report published Thursday.
Cicada3301 first began recruiting affiliates in late June 2024, and has since claimed at least 30 victims, mostly in the United States and United Kingdom. The group gained attention in September due to analyses that found several similarities between Cicada3301’s ransomware and that of the defunct ALPHV/BlackCat ransomware gang.
While it is still unclear if Cicada3301 is an ALPHV/BlackCat rebrand or if the group purchased ALPHV/BlackCat’s source code when it was put up for sale earlier this year, Group-IB’s report also mentions “very strong similarities” with key differences including much fewer command line options, differences in access key use, no embedded configuration and slight differences in ransom note naming convention.
The report also provided a detailed overview of the features available to Cicada3301 affiliates via the affiliate panel, including the ability to easily manage victim companies and customize attacks for each victim.
Cicada3301’s affiliate panel uncovered
The web interface of the Cicada3301 affiliate panel is accessible only via Tor, and the main affiliate dashboard displays an overview of successful and failed login attempts, fingerprint details and a chart of companies the affiliate has targeted, Group-IB revealed. The dashboard sidebar gives access to other sections including News, Companies, Chat Companies and Chat Support.
The News section includes release notes for the Cicada3301 ransomware and other updates about the group and its affiliate program, showing a large number of bug fixes and feature optimizations on June 13, 2024, a new file server for affiliates to upload exfiltrated data on June 15, 2024, and the introduction of a call center on June 18, 2024.
The Companies section is where affiliates can begin planning, documenting and organizing their attacks against victim companies, with the “Create company” function allowing the affiliate to add the victim’s name, ransom demand price, discount price and discount expiration time before further organizing their attack with custom ransomware samples and ransomware notes.
Affiliates can configure the ransomware used in each attack to change the encryption type between “fast,” “full” and “auto” encryption methods, the type of victim landing page to create (encryption and data leak, or data leak only), specific virtual machine exclusions and Windows credentials used for impersonation and access.
The Chat Companies section opens up an interface to chat with victims to negotiate ransom payments and Chat Support opens up a separate interface for chatting with Cicada3301 representatives for support issues. Affiliates can also use this interface to request to contact victims via phone call through the aforementioned call center service.
The dashboard also includes an Account section for affiliates to reset the password they use to access their affiliate panel as well as an FAQ with more information about the Cicada3301 ransomware and affiliate program.
The ransomware is written in Rust, uses ChaCha20 and RSA for encryption and is available for Windows starting from Windows 7, Linux, ESXi, NAS and PowerPC systems. The PowerPC version is unique, as PowerPC is an older computer infrastructure that is rarely used in modern systems, other than older Mac computers and other specific legacy systems, Group-IB noted.
The Cicada3301 uses a thread pool of 50 threads to efficiently encrypt numerous files in parallel, and performs several actions to evade detection and inhibit recovery, such as disabling security processes and virtual machines, and deleting shadow copies and backups.
Group-IB’s investigation found that the commission rate for affiliates is 20% of the ransom payment amount and that Cicada3301 prohibits attacking countries in the Commonwealth of Independent States (CIS), which includes Russia, Belarus, Moldova, Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan. Cicada3301 appears to use both Russian and English in its communications, with the News section of the dashboard being entirely in Russian.
“The emergence of Cicada3301 underscores the evolving threats organizations face from ransomware groups that are increasingly professional, resourceful, and bold. It highlights the urgent need for organizations to bolster their cybersecurity measures, engage in proactive threat intelligence, and adopt a multi-layered defense strategy to protect against such advanced adversaries,” Group-IB concluded.