Cicada3301

Cicada3301, named after an online cryptography game, is a new threat actor in the cybersecurity landscape. This entity is responsible for distributing a ransomware variant also known as Cicada3301. The group primarily targets VMware ESXi environments with the intention of shutting down virtual machines (VMs), deleting snapshots, and encrypting data. The first data leak site post attributed to this group was detected on June 25, with an invitation extended to potential affiliates to join their platform on the cybercrime forum Ramp four days later. There's speculation about a possible connection between Cicada3301, ALPHV, and another entity called Repellent Scorpius, especially considering the latter's emergence after the shutdown of ALPHV's Ransomware-as-a-Service (RaaS) operation in March. Repellent Scorpius has emerged as a new threat group that distributes the Cicada3301 ransomware. This group operates as a Ransomware-as-a-Service (RaaS) entity, contributing to the distribution and evolution of the Cicada3301 ransomware. Despite the original owners of the Cicada3301 game distancing themselves from this new RaaS group, there's ongoing debate among cybersecurity researchers about potential links between these entities. Some suggest that the source code for the ransomware could have been purchased by a separate group following the shutdown of the original RaaS operation. In response to the Cicada3301 threat, cybersecurity solutions like Cortex XDR and Prisma Cloud have developed detection and prevention measures. Cortex XDR can detect and prevent the Cicada3301 ransomware, while Prisma Cloud can identify known Cicada3301 ransomware binaries executed within cloud environments through the Cloud Security Agent (CSA). However, given the novelty of the Cicada3301 ransomware, it's expected that its tactics, techniques, and procedures (TTPs) will evolve over time, necessitating ongoing vigilance and adaptation from cybersecurity defenses.