In the end of June 2024, a new enigmatic ransomware-as-a-service group emerged under the name Cicada 3301. They have apparently stolen the name and branding from a cryptographic puzzle to add mystery to their name. Since the start, this ransomware has added numerous victims to their onion site and analysis of their attacks has shown several links to the notorious ransomware group BlackCat/ALPHV, that was dissolved in a multi-million exit scam after the group’s infrastructure was hacked by international law enforcement.

This presentation will contain technical and non-technical evidence suggestion a link between Cicada and BlackCat, such as

In-depth malware analysis of both ESXi and Windows ransomware used by Cicada and similarities to the ALPHV ransomware
Tools, Techniques and Procedures (TTP) used in ransomware attacks investigated by Truesec, comparing Cicada 3301 incidents to BlackCat/ALPHV
Connections to a possible access broker, responsible for the Brutus botnet
Command and control infrastructure used by Cicada 3301 and how it is linked BlackCat
Tracing profiles on Russian cybercrime forums related to Cicada 3301
We at Truesec were the first cybersecurity company to publish the links between Cicada 3301 and BlackCat. Since publication, by Bleeping Computer and other news sites, we have investigated more data and can present further evidence of connections between these two groups.

We will demonstrate how a holistic approach to threat intelligence, combining reverse engineering, forensic analysis and dark web investigation can provide a deeper understanding of threat actors.