Cicada3301 is a ransomware operation first detected in June 2024 and described as operating under a ransomware-as-a-service (RaaS) model. Reporting cited in the source says it appears to be either a rebrand or derivative of ALPHV/BlackCat, although the direct relationship remains unverified. It emerged in mid-2024 and was listed among the more common ransomware variants observed in Q3 2024, accounting for 5% in one cited ranking, and was also reported in incidents affecting organizations in Japan in 2025.
The malware is written in Rust and targets both Windows and Linux/ESXi environments. The Linux variant is an ELF binary, with its Rust origin confirmed through embedded strings and the .comment section. Technical analysis described multiple overlaps with ALPHV, including nearly identical command structures used to shut down virtual machines and delete snapshots, as well as a similar file-naming convention.
Cicada3301 uses ChaCha20 for file encryption and protects the generated encryption key with an RSA public key. Files smaller than 100 MB are encrypted in full, while files larger than 100 MB are encrypted partially. The protected key and a specific file extension are appended to encrypted files. Reported functionality includes a linux_enc routine that starts Linux encryption and generates a random key via OsRng. The malware also supports command-line parameters including sleep, which delays execution, and ui, which displays encryption progress. A key parameter is required for a decryption-related validation routine; if the key is missing or incorrect, execution stops. The binary reportedly contains an encoded and encrypted ransom note that is decrypted using the provided key as part of a decryption check routine.
Observed initial access in attacks linked to Cicada3301 was assessed to involve the Brutus botnet. The source states that attackers used stolen or brute-forced credentials via ScreenConnect, and that an IP address associated with observed activity was tied to Brutus infrastructure. This raised the possibility of a connection between Brutus operators and Cicada3301, but no definitive attribution was established in the provided content.
High-confidence associations in the source are limited to ransomware activity and technical similarities to ALPHV. The content does not provide a definitive threat-actor attribution, victimology beyond reported presence in general ransomware trend reporting and incidents in Japan, or specific file extensions, ransom note text, hashes, or other concrete IOCs for Cicada3301.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct techniques documented for this family, organized by ATT&CK tactic.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cicada3301 is a ransomware group responsible for at least two incidents in Japan in the first half of 2025.
Ransomware operation referenced as active in Q2 2025 (no additional detail provided).
A ransomware family appearing as a new top variant by market share in Q3 2024.
Rust-based ransomware targeting Windows and Linux/ESXi environments. It uses ChaCha20 for file encryption, encrypts large files partially and smaller files fully, secures the ChaCha20 key with an RSA public key, and includes functionality for delaying execution, displaying encryption progress, shutting down VMs, removing snapshots, and validating decryption via an embedded ransom note check.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.