Ransomware

Threat Operation Behind Cicada3301 Ransomware Delivery Examined

A computer popup box screen warning of a system being hacked, compromised software environment.

Newly-emergent Cicada3301 ransomware has been primarily distributed by the novel Repellent Scorpius ransomware-as-a-service operation, which has sought new affiliates since its emergence in May, according to SiliconAngle.

Attacks by Repellent Scorpius involving data theft and encryption commenced a month before the arrival of Cicada3301, with the source of data acquired by the group before the ransomware strain's emergence still uncertain, a report from Palo Alto Networks Unit 42 showed. However, further analysis revealed that Repellent Scorpius leveraged an IP address associated with the ALPHV/BlackCat ransomware operation. Such findings, which follow a Morphisec report detailing similarities between Cicada3301 and ALPHV/BlackCat, also noted Repellent Scorpius' potential ramping up of malicious operations amid ongoing affiliate and initial access broker recruitment efforts.

"We can expect to see attackers posting a growing list of active incidents and victims on their leak site in the near future," said researchers.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

You can skip this ad in 5 seconds