Cicada3301 ransomware affiliate program infiltrated by security researchers
The Cicada3301 ransomware-as-a-service (RaaS) group had its affiliate program infiltrated by Group-IB researchers, who published new details about the gang’s affiliate panel and ransomware strains in a report published Thursday.
Cicada3301 first began recruiting affiliates in late June 2024, and has since claimed at least 30 victims, mostly in the United States and United Kingdom. The group gained attention in September due to analyses that found several similarities between Cicada3301’s ransomware and that of the defunct ALPHV/BlackCat ransomware gang.
While it is still unclear if Cicada3301 is an ALPHV/BlackCat rebrand or if the group purchased ALPHV/BlackCat’s source code when it was put up for sale earlier this year, Group-IB’s report also mentions “very strong similarities” with key differences including much fewer command line options, differences in access key use, no embedded configuration and slight differences in ransom note naming convention.
The report also provided a detailed overview of the features available to Cicada3301 affiliates via the affiliate panel, including the ability to easily manage victim companies and customize attacks for each victim.
