Repellent Scorpius: Novel RaaS Group Actively Distributes Cicada3301 Ransomware Variant

Ransomware continues to be a leading global threat to organizations, with attacks becoming more frequent and increasingly sophisticated. Recently, a new Ransomware-as-a-Service (RaaS) group, Repellent Scorpius, has emerged, intensifying the challenge for cyber defenders. This novel actor drives the distribution of the Cicada3301 ransomware, employing a double-extortion tactic to maximize profits while expanding their affiliate network.

Cicada3301 Ransomware Detection

Recent months have been marked by a sharp rise in ransomware attacks, fueled by the emergence of Zola and BlackSuite strains, increased activity from Akira, and the resurgence of Black Basta. Adding to the “summer heat,” Repellent Scorpius appeared on the scene in May 2024, pushing the newly surfaced Cicada3301 ransomware into the mix.

To stay ahead of the Repellent Scorpius attacks and proactively identify potential Cicada3301 ransomware infections, security professionals might rely on SOC Prime Platform for collective cyber defense offering a dedicated Sigma rules set accompanied by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the button below and immediately drill down to a relevant rules collection to detect malicious activity associated with Cicada3301 infections. 

Sigma Rules to Detect Cicada3301

Cyber defenders seeking for more Sigma rules addressing the Repellent Scorpius tactics, techniques, and procedures (TTPs) might access a tailored detection stack by browsing Threat Detection Marketplace with “Repellent Scorpius” tag or by simply hitting the button below. 

Sigma Rules to Detect Repellent Scorpius TTPs

The rules are compatible with 30+ SIEM, EDR, and Data Lake platforms and mapped to the MITRE ATT&CK framework. Additionally, all the detections are enriched with extensive meta data, including attack timelines, threat intel references, and triage recommendations.

To instantly hunt for related indicators of compromise (IOCs) listed in Palo Alto Networks Unit42 research, security engineers might use Uncoder AI, a professional detection engineering IDE & co-pilot, serving an IOC packager to seamlessly parse IOCs and convert them into custom hunting queries ready to run in the SIEM or EDR of choice.

Cicada3301 Ransomware Attacks Analysis

The recent report from Palo Alto Networks Unit 42 reveals the emergence of a new ransomware-as-a-service group actively expanding their list of their victims. Dubbed Repellent Scorpius, the group started active operation in May 2024 distributing Cicada3301 ransomware globally. 

Despite its recent launch, Repellent Scorpius is swiftly gaining traction by setting up an affiliate program and actively recruiting initial access brokers (IAB) and network intruders on russian-language cybercrime forums. Although the origin of the group is currently unknown, the focus on russian-speaking affiliates and restriction to target CIS countries might provide a hint to the group’s roots. 

While Unit42 has been monitoring the group’s activities since May-June 2024, researchers have also identified connections to past compromise incidents unrelated to Cicada3301. This suggests that the group may have previously operated under a different moniker or acquired data from other ransomware actors. Notably, Cicada3301 bears striking resemblances to the now-defunct BlackCat (also known as ALPHV) operation.

Repellent Scorpius leverages stolen credentials for the initial access, relying on IABs to purchase them. Further, attackers employ a legitimate PsExec tool to execute the ransomware payload against multiple hosts within the targeted network. For data exfiltration, the open-source Rclone utility is used. Interestingly, the public IP address utilized for exfiltration was earlier leveraged by other ransomware collectives, including Bashful Scorpius (aka Nokoyawa) and Ambitious Scorpius (aka ALPHV/BlackCat), once again highlighting links of Repellent Scorpius with BlackCat.

Cicada3301 payload itself is written in Rust and uses ChaCha20 for encryption, with ransomware strain being capable of targeting both Windows and Linux/ESXi hosts.

With an increasing number of trends and more sophisticated intrusions, ransomware has been the top challenge for most organizations since 2021, including large-scale enterprises. With SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation, defenders can minimize the risks of intrusions and maximize the value of security investments.