Inside Cicada3301: The Rising Ransomware Group and Its Affiliate Program

Cybersecurity researchers have uncovered new details about the ransomware-as-a-service (RaaS) operation known as Cicada3301. The group’s affiliate program, which was accessed via the dark web, sheds light on the inner workings of this emerging threat.

The investigation, conducted by a research team, began after they contacted Cicada3301 through a cybercrime forum, following the group’s advertisement seeking partners for its affiliate program.

This access provided a rare glimpse into their affiliate dashboard, which included sections like a control panel, news updates, company targets, chat support, and tools for managing ransomware builds and negotiations with victims.

Cicada3301 first surfaced in June 2024, and its ransomware operation shares many similarities with the defunct BlackCat group, particularly in its source code. To date, the group is believed to have compromised at least 30 organizations, primarily in the U.S. and U.K., across key sectors.

The ransomware itself is built using Rust, making it cross-platform and capable of targeting multiple operating systems, including Windows, Linux, ESXi, and even PowerPC architectures.

This broad compatibility allows affiliates to launch attacks on a wide variety of devices and servers. Cicada3301’s attacks typically involve disabling virtual machines, halting recovery processes, and encrypting network shares to maximize damage.

One of the unique aspects of Cicada3301’s operation is its affiliate program, which recruits penetration testers and access brokers, offering a 20% commission.

The group provides affiliates with a user-friendly web-based panel that enables them to create ransomware builds, add victims, set ransom demands, and communicate directly with the victims and Cicada3301 representatives.

The affiliate panel’s structure includes sections for tracking successful or failed attacks, product updates, and management tools. Affiliates can also negotiate ransom payments, view detailed information about each victim, and receive technical support from the Cicada3301 team.

The researchers emphasized the sophistication of Cicada3301’s operations, noting the use of ChaCha20 and RSA encryption methods and its strategy of exfiltrating data before encryption. This tactic, combined with its ability to disable virtual machines, makes the attacks particularly devastating.

To mitigate the risks posed by groups like Cicada3301, organizations should prioritize regular software updates, maintain robust backup systems, and use strong, multi-factor authentication methods. It’s also essential to monitor network traffic for unusual activity and implement proper network segmentation.