From Windows to Linux to ESXi: The Cicada3301 Ransomware Hits Them All

Cicada3301 RaaS
Console logs with –ui option | Image: Group-IB

A sophisticated ransomware group, Cicada3301, has rapidly risen to prominence in the cybercrime landscape, targeting critical infrastructure sectors across the globe. First identified in June 2024, the Cicada3301 ransomware-as-a-service (RaaS) group has already claimed 30 victims, primarily in the United States and the United Kingdom, with stolen data from these organizations published on its dedicated leak site (DLS). According to a detailed report by Group-IB, this group operates an advanced affiliate program that recruits penetration testers and access brokers to carry out attacks.

The Cicada3301 ransomware group takes its name from an infamous cryptographic puzzle organization that surfaced in 2012. Known for its intellectual and cryptographic challenges, the original Cicada3301 captivated global attention. However, the new ransomware group borrows little more than the name, focusing instead on infiltrating high-value targets and deploying advanced ransomware attacks. “Since its discovery in June 2024, Cicada3301 has rapidly targeted 30 organizations across critical sectors,” the report states.

One of the standout features of the Cicada3301 ransomware is its versatility across multiple platforms. Written in Rust, the ransomware is designed to target Windows, Linux, ESXi, and NAS systems, including support for uncommon architectures like PowerPC. This flexibility makes Cicada3301 a formidable threat capable of compromising a wide array of systems.

Cicada3301’s affiliate program offers a 20% commission to cybercriminals who participate in the scheme, and affiliates must pass a “mini-interview” to gain access. The report describes the group’s tactics, noting that the ransomware “shuts down virtual machines on ESXi and Hyper-V, terminates processes, deletes shadow copies, and encrypts network shares to maximize disruption”. These actions are designed to cripple the targeted organization’s infrastructure, increasing pressure to pay the ransom.

In addition, the ransomware uses ChaCha20 and RSA encryption with configurable modes (Full, Fast, Auto) to either fully or partially encrypt files. This ensures that the attack not only disrupts the target but also encrypts critical data to hold organizations hostage.

Group-IB researchers successfully infiltrated the affiliate panel of Cicada3301, gaining a rare glimpse into the group’s inner workings. The web-based panel, accessible only via Tor, provides affiliates with tools to customize ransomware attacks, manage victim communications, and even create their own sub-affiliate accounts. This highly organized infrastructure enables affiliates to launch targeted attacks efficiently and track their success through features such as a locker builder, chat support, and victim management.

With the ability to attack systems across multiple platforms and recruit skilled cybercriminals, Cicada3301 is quickly becoming one of the most dangerous ransomware groups operating today. The group’s dedicated leak sites have already exposed sensitive data from industries including healthcare, government, and technology, emphasizing the need for organizations to bolster their cybersecurity defenses.

Group-IB’s report concludes that “the emergence of Cicada3301 underscores the evolving threats organizations face from ransomware groups that are increasingly professional, resourceful, and bold”. As the group continues to expand its operations, organizations must adopt multi-layered defenses and proactive threat intelligence to mitigate the risks posed by this highly capable adversary.

Related Posts: