Emergence of Repellent Scorpius: Distributors of Cicada3301 Ransomware

Cicada3301 Ransomware
Batch script with multiple ransomware command executions. | Image: Unit 42

A ransomware-as-a-service (RaaS) group known as Repellent Scorpius has surfaced, actively distributing the Cicada3301 ransomware. First identified in May 2024, this group has quickly ramped up its operations by employing a multi-extortion model—stealing sensitive data and encrypting systems, then threatening to release the data if the ransom is not paid publicly.

According to a Unit 42 report, Repellent Scorpius operates an affiliate program, recruiting partners on cybercrime forums and establishing itself as a growing force in the ransomware ecosystem. The group employs Cicada3301 ransomware, drawing inspiration from the infamous and mysterious 3301 puzzles, which baffled cryptographers and enthusiasts alike in the early 2010s. Despite their recent debut, the group is believed to have access to data from older compromise incidents, indicating that they may have either inherited or purchased this information from other cybercriminal organizations.

Repellent Scorpius

Cicada3301 leak site as of July 2024 | Image: Unit 42

Repellent Scorpius is distinguished by its use of double extortion, encrypting files while exfiltrating data for added leverage. The group’s affiliate program includes a dedicated control panel for managing operations, victim ransom payment pages, and tools for initial access brokers (IABs). The affiliates primarily utilize Remote Desktop Protocol (RDP) with stolen credentials and employ legitimate tools like PsExec and Rclone for lateral movement and exfiltration, respectively.

Interestingly, Repellent Scorpius has imposed restrictions on their operations—partners are prohibited from targeting countries within the Commonwealth of Independent States (CIS), reflecting the group’s probable roots in Russian-speaking cybercrime forums.

Unit 42 has linked Repellent Scorpius to data exfiltration incidents that predate their emergence under the Cicada3301 banner. This suggests that the group may have evolved from other ransomware families or acquired data from older attacks. Additionally, an updated version of their encryptor, discovered in July 2024, shows a shift in tactics, including new features to avoid ransom note creation and enhanced methods to evade detection.

The rapid evolution of Repellent Scorpius and the sophisticated Cicada3301 ransomware poses a growing threat. As the group continues to recruit affiliates and broaden its victim base, security experts anticipate an increase in ransomware attacks. Organizations are urged to enhance their defenses and stay vigilant against this emerging menace.

Related Posts: