Cicada3301

Cicada3301 is a ransomware group first detected in June 2024. The reporting describes it as operating a ransomware-as-a-service (RaaS) model and assesses that it appears to be either a rebranded or derivative version of ALPHV/BlackCat, although the direct relationship remains unverified. Technical analysis cited in the content found multiple overlaps with ALPHV, including nearly identical commands for shutting down virtual machines and deleting snapshots, and a similar file-naming convention. The ransomware is written in Rust and targets Windows and Linux/ESXi environments. The Linux variant is an ELF binary. It uses ChaCha20 for file encryption and protects the generated encryption key with an RSA public key. Files smaller than 100 MB are encrypted in full, while larger files are encrypted in parts. The malware supports parameters including "sleep" to delay execution and "ui" to display encryption progress, and it requires a correct "key" parameter or it stops running. The content also notes an embedded, encoded, and encrypted ransom note and a decryption check routine. Observed initial access is believed to involve the Brutus botnet, with attackers using stolen or brute-forced credentials via ScreenConnect; an associated IP address was linked to Brutus infrastructure. Victim reporting in the content includes a claim that Pacific Biolabs was attacked by Cicada3301 with 900 GB allegedly exfiltrated. Separate reporting also lists Cicada3301 among ransomware groups active in Japan in the first half of 2025, where it was associated with two incidents. Alias: cicada3301.