Newly-emergent Cicada3301 ransomware has been primarily distributed by the novel Repellent Scorpius ransomware-as-a-service operation, which has sought new affiliates since its emergence in May, according to SiliconAngle.
Attacks by Repellent Scorpius involving data theft and encryption commenced a month before the arrival of Cicada3301, with the source of data acquired by the group before the ransomware strain's emergence still uncertain, a report from Palo Alto Networks Unit 42 showed. However, further analysis revealed that Repellent Scorpius leveraged an IP address associated with the ALPHV/BlackCat ransomware operation. Such findings, which follow a Morphisec report detailing similarities between Cicada3301 and ALPHV/BlackCat, also noted Repellent Scorpius' potential ramping up of malicious operations amid ongoing affiliate and initial access broker recruitment efforts.
"We can expect to see attackers posting a growing list of active incidents and victims on their leak site in the near future," said researchers.