September 1, 2024 at 12:39PM
Cicada3301 is a new ransomware-as-a-service (RaaS) operation with 19 victims listed on its portal. It conducts double-extortion tactics, utilizing data theft as leverage. The malware overlaps with ALPHV/BlackCat, employing similar encryption methods. It may have ties to the Brutus botnet and targets VMware ESXi setups, causing significant damage to enterprise environments for maximum impact on victims.
Key takeaways from the meeting notes:
– A new ransomware-as-a-service (RaaS) operation named Cicada3301 has attacked companies worldwide and already has 19 victims listed on its extortion portal.
– The operation conducts double-extortion tactics by breaching corporate networks, stealing data, and then encrypting devices. The encryption key and threats to leak stolen data are used to scare victims into paying a ransom.
– Truesec analysis suggests significant overlaps between Cicada3301 and ALPHV/BlackCat, indicating a possible rebrand or fork created by former ALPHV’s core team members.
– Cicada3301 may partner with or utilize the Brutus botnet for initial access to corporate networks.
– The ransomware operation targets specific file extensions matching documents and media files and uses intermittent encryption based on file sizes.
– Cicada3301 focuses on ESXi environments, aiming to maximize damage in enterprise environments and ensuring a high-impact attack affecting entire networks and infrastructures.