ExaSec reported on the emergence of a new cybercrime group called Cicada3301, which has already targeted 19 victims worldwide using the RAAS model, leaving security experts puzzled.
Named after a popular online game from 2012-2014 known for its intricate cryptographic puzzles, Cicada3301 has no affiliation with the original project and has been vehemently denounced by its creators.
The cyber attacks by CICADA3301 were first detected on June 6, with an official announcement made on June 29 on the RAMP forum. This suggests that the group was operating independently prior to establishing partnerships.
Employing double extortion tactics, Cicada3301 infiltrates corporate networks to steal data before encrypting devices. The group then uses encryption keys and the threat of data exposure to coerce victims into paying a ransom.
Truesec highlighted striking similarities between Cicada3301 and Alphv/Blackcat, indicating that Cicada3301 might be a rebranded version of Alphv or a spin-off created by former members. Both groups use Rust, the Chacha20 encryption algorithm, and similar commands for disabling virtual machines and deleting images.
Cicada3301 initiated its attacks using compromised accounting data through the ScreenConnect remote access program. Truesec also uncovered a link between the group’s IP address and the Brutus botnet, which has previously been involved in large-scale attacks on VPN devices like Cisco, Fortinet, Palo Alto, and Sonicwall.
Of particular note is Cicada3301’s focus on attacking VMware ESXI environments, employing a specialized key for encryption. The group uses the Chacha20 stream Cipher and RSA encryption to encrypt files, with a specific emphasis on certain file extensions and large files.
Additionally, Cicada3301 employs techniques to hinder data recovery post-attack, such as encrypting VMware ESXI virtual machines without disconnecting them first, complicating the restoration process.