Cybersecurity researchers have uncovered significant insights into a new ransomware-as-a-service (RaaS) group known as Cicada3301, following their successful infiltration of the group’s affiliate dashboard on the dark web.
Group-IB, a Singapore-based cybersecurity firm, revealed that they established contact with Cicada3301's operators through the RAMP cybercrime forum using the Tox messaging service. This came after the group put out a call for new affiliates, inviting penetration testers (pentesters) and access brokers into their fold.
The Cicada3301 affiliate panel, as described by researchers Nikolay Kichatov and Sharmine Low, features a range of sections including Dashboard, News, Companies, Chat Companies, Chat Support, Account, and an FAQ section. These tools offer affiliates extensive support to orchestrate ransomware attacks.
First identified in June 2024, Cicada3301 is a cross-platform Rust-based ransomware, which has already compromised at least 30 organizations across critical sectors in the U.S. and the U.K.. Experts have observed strong code similarities between Cicada3301 and the now-defunct BlackCat ransomware group.
What makes Cicada3301 particularly dangerous is its ability to target multiple operating systems, including Windows, Linux distributions (such as Ubuntu, Debian, CentOS, SUSE, and Fedora), ESXi, and NAS systems, among others. This versatility expands its attack surface significantly, allowing affiliates to deploy the ransomware across a wide range of environments.
Once infiltrated, Cicada3301 encrypts files, but not before taking critical steps to maximize its impact, such as shutting down virtual machines, inhibiting system recovery, terminating services, and deleting shadow copies. The ransomware is also capable of encrypting network shares, amplifying the damage caused to victim organizations.
Affiliates of Cicada3301 are incentivized through a 20% commission on successful attacks. The web-based affiliate panel offers a variety of functionalities, including the ability to add new victims, create ransomware builds, and negotiate with victims directly. The affiliate dashboard allows users to monitor the progress of attacks, check for updates, and communicate with representatives of the Cicada3301 group for support.
Key sections of the affiliate panel include:
The Cicada3301 RaaS program stands out for its use of ChaCha20 + RSA encryption and its emphasis on data exfiltration prior to encryption, which adds pressure on victims to pay the ransom. Furthermore, the ransomware can halt virtual machines, amplifying the damage and disruption caused by the attacks.
With its advanced tooling and sophisticated operations, Cicada3301 has quickly emerged as a major player in the ransomware landscape. By offering a customizable affiliate platform, it empowers cybercriminals to launch highly targeted ransomware attacks, making it a significant threat to organizations worldwide.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067