Overview
Cicada3301 is a ransomware-as-a-service operation that emerged in June 2024, recruiting affiliates on Russian-language criminal forums including RAMP. The group operates Rust-based ransomware targeting Windows, Linux, and VMware ESXi environments, with a leak site on Tor used for double-extortion pressure. In its first three months of operation, Cicada3301 claimed over 30 victims predominantly in the United States and United Kingdom.
The name is a reference to the cryptographic puzzle series that ran from 2012 to 2014, chosen presumably for its association with secrecy and technical sophistication. It has no connection to the puzzle’s original creators.
The group’s technical signature — Rust-based code, ESXi targeting via ChaCha20/RSA encryption, use of intermission parameters for controlled execution — bears substantial similarity to the ALPHV/BlackCat codebase. Researchers at Morphisec and Group-IB identified overlapping code patterns shortly after Cicada3301’s emergence, leading to widespread assessment that Cicada3301 either recruited BlackCat developers or is a direct evolution of that operation. ALPHV/BlackCat performed an exit scam in February 2024, disappearing with approximately $22 million in affiliate ransom payments — creating both displaced developers and a ready supply of experienced affiliates looking for a new programme.
Technical Capabilities
Ransomware architecture
Cicada3301’s encryptor is written in Rust — the same language choice as ALPHV/BlackCat, and for similar reasons. Rust produces highly portable binaries with minimal runtime dependencies, makes reverse engineering harder than C/C++ (particularly for decompiler-based analysis), and supports easy cross-compilation for Linux, Windows, and ESXi targets from a single codebase.
Encryption scheme: ChaCha20 for file content encryption, RSA for key protection. This hybrid scheme is efficient at scale and provides strong encryption if the RSA implementation is correct.
ESXi targeting: The Linux/ESXi variant targets .vmdk, .vmem, .vmsn, .vmsd, and .nvram files — the full set of files required to recover a VMware virtual machine. Before encrypting, the locker enumerates running VMs and uses esxcli vm process kill to terminate them, releasing file locks. This allows encryption to proceed on files that would otherwise be locked by the hypervisor.
intermission parameter: The encryptor accepts a --no-vm-ss flag to skip snapshot deletion and a configurable --sleep delay before execution. This allows affiliates to time encryption for maximum impact — typically outside business hours — and to suppress snapshot recovery options.
Self-propagation via PsExec: Windows variants use PsExec to propagate to network-accessible hosts, automating lateral spread across domain-joined environments without requiring manual deployment per host.
Encryption modes
Four modes are available to affiliates:
- Full: All file content encrypted. Slowest, most thorough
- Fast: Only the first N megabytes of each file encrypted. Sufficient to break file integrity while completing faster
- Auto: Adaptive mode — Full for small files, Fast for large files based on a configurable size threshold
- Append: Encrypts and appends to existing files rather than overwriting
The configurable mode is an affiliate-facing control that lets operators balance encryption speed against operational needs, particularly relevant for time-sensitive deployments.
Affiliate Program Structure
Cicada3301 recruits affiliates via RAMP and reportedly through direct outreach to experienced operators from disbanded or inactive programmes. The affiliate commission structure is competitive: affiliates retain 80% of ransom proceeds, with 20% going to the core operation. This matches or exceeds most established RaaS operations.
Affiliates receive:
- The Windows and Linux/ESXi encryptors, configurable per-campaign
- Access to the Tor-hosted data leak site for double-extortion
- Negotiation infrastructure and payment portals
- A management panel for campaign configuration and status
The group explicitly targets affiliates with existing access to enterprise networks — initial access broker relationships rather than operators who build their own access from scratch. This accelerates time-to-deployment and improves victim selection.
Targeting and Victim Profile
Cicada3301’s published victim set spans US and UK targets primarily in:
- Manufacturing and industrial: Mid-market manufacturers, industrial services firms
- Legal and professional services: Law firms and accounting practices — high-value for sensitive client data
- Healthcare adjacent: Medical services, dental groups, healthcare administration
- Critical infrastructure: The group explicitly targets this sector and has made public statements about avoiding hospitals while engaging other critical infrastructure
US targets represent approximately 60% of victims; UK victims are disproportionately represented given the overall population of English-language ransomware targets, suggesting active targeting or affiliate presence in the UK.
Average ransom demand based on disclosed negotiations ranges from $200,000 to $2.5 million, calibrated to victim revenue. There is no known public decryptor.
ALPHV/BlackCat Lineage Assessment
The code similarity evidence between Cicada3301 and ALPHV/BlackCat is substantial:
- Identical Rust codebase structure for ESXi targeting and VM enumeration
- Identical ChaCha20/RSA hybrid encryption implementation with matching key management logic
- Shared use of
intermissionpatterns and execution parameters - Comparable affiliate panel architecture
The timing — Cicada3301 launching four months after ALPHV’s February 2024 exit scam — is consistent with a team rebuilding under a new brand following the affiliate theft. The operational pattern (Russian forum recruitment, same ESXi focus, same target sectors) further supports direct lineage rather than independent development.
CISA has not formally attributed Cicada3301 to ALPHV operators, and the group has not made public statements about its origins. Unit 42 tracks the operation as Repellent Scorpius.
Detection and YARA
rule Cicada3301_Ransomware_Rust {
meta:
description = "Detects Cicada3301 ransomware based on string signatures"
author = "Ransomware Tracker"
date = "2026-06-14"
reference = "https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/"
strings:
$rust_manifest = "cicada3301" ascii
$esxi_kill = "esxcli vm process kill" ascii
$vmdk_ext = ".vmdk" ascii
$chacha_marker = "chacha20" ascii nocase
$ransom_note = "RECOVER-" ascii
$leak_site = ".onion" ascii
condition:
uint16(0) == 0x457f and // ELF header (Linux/ESXi binary)
3 of them
}
Defensive Priorities
ESXi hardening is critical. Cicada3301’s primary differentiation over commodity ransomware is reliable ESXi encryption. Organisations running VMware environments should:
- Enable ESXi Shell only when required and disable immediately after use
- Restrict management network access to dedicated admin VLANs
- Implement VM-level snapshots to off-host backup targets that ESXi credentials cannot reach
- Review who holds ESXi root credentials and implement JIT access
Offline, air-gapped backups. The locker actively deletes snapshots before encrypting. Any backup target reachable from the domain environment can be deleted or encrypted. The 3-2-1 rule with one copy air-gapped or immutable (S3 Object Lock, Azure Immutable Blob Storage) provides the minimum viable recovery capability.
Monitor RAMP and criminal forum activity. Cicada3301 actively recruits affiliates and initial access brokers on RAMP. Threat intelligence services that monitor criminal forums can provide early warning of campaigns targeting specific sectors or geographies.
Cicada3301 should be treated as a direct successor capability to ALPHV/BlackCat — the same technical sophistication, similar targeting logic, and an active affiliate recruitment programme drawing on experienced operators displaced by the February 2024 exit scam.