A new ransomware-as-a-service (RaaS) operation known as Cicada3301 has emerged on the threat landscape, targeting VMware ESXi servers worldwide. The operation, which has quickly amassed 19 victims, impersonates the legitimate Cicada 3301 organization—a mysterious group famous for its cryptographic puzzles that captivated the internet between 2012 and 2014.

The new ransomware group, which shares the same name and logo as the original Cicada 3301, has no actual connection to the legitimate organization. The real Cicada 3301 has issued a statement denying any connection to the ransomware attacks.

The Cicada3301 RaaS began promoting its operation and recruiting affiliates on June 29, 2024, through a post on the notorious RAMP cybercrime forum. However, reports indicate that the group had already been conducting attacks as early as June 6, suggesting that they operated independently before recruiting affiliates.

Like many ransomware groups, Cicada3301 employs a double-extortion tactic, breaching corporate networks, stealing sensitive data, and then encrypting devices. Victims are then threatened with the release of stolen data unless a ransom is paid.

An analysis by cybersecurity firm Truesec has revealed overlaps between Cicada3301 and the ALPHV/BlackCat ransomware, which suggests that Cicada3301 may be a rebrand or a fork of ALPHV. Both ransomware variants share several technical characteristics, including being written in Rust, using the ChaCha20 encryption algorithm, and employing identical commands for virtual machine shutdowns and snapshot wiping. The two also share similar command interfaces, file naming conventions, and ransom note decryption methods.

The ALPHV ransomware group pulled a major exit scam in March 2024 after stealing $22 million from Change Healthcare.

In addition, Truesec's analysis suggests that the Cicada3301 operation may be utilizing the Brutus botnet to gain initial access to corporate networks. Brutus, a botnet linked to large-scale VPN brute-forcing campaigns, has been active since at least March 2024 and has targeted VPN appliances from vendors like Cisco, Fortinet, Palo Alto, and SonicWall.

The Cicada3301 ransomware is written in Rust and is designed to target both Windows and Linux/ESXi environments. While more ransomware groups are adding ESXi ransomware to their arsenal, only a few have developed ransomware written in Rust, with the now-defunct BlackCat/ALPHV being one of them.

Cicada3301 uses valid credentials, either stolen or brute-forced, to gain initial access to networks via tools like ScreenConnect. An IP address linked to the threat actor has been linked to the Brutus botnet, which has been associated with broad password-guessing campaigns targeting various VPN solutions, including ScreenConnect.