www.vectra.ai Open in urlscan Pro
35.152.119.144  Public Scan

Form analysis
1 forms found in the DOM

/search

<form action="/search" id="search-nav-field" class="l-menu__search w-form" __bizdiag="107944136" __biza="WJ__"><input class="search-input w-input" maxlength="256" name="query" placeholder="Search" type="search" id="search-nav-input"
    required=""><input type="submit" id="search-nav-button" class="search-button w-button" value="Search">
  <div class="search-exit"></div>
</form>

Text Content

Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る

Vectra AI Logo
Platform

AI Platform

The integrated signal for extended detection and response (XDR). Detect –
Prioritize – Investigate – Respond
Network (NDR)

Identity (ITDR)

Cloud

M365

&
Copilot

Managed Services (MXDR/MDR)

See our integrations

Our AI

Arm your security analysts with intel to stop attacks fast. Attack Signal
Intelligence analyzes in real-time to show where you’re compromised right now.
Our AI-driven detections

SOC Use Cases

SOC Modernization
SIEM Optimization

IDS replacement

EDR extension

Cyber Resilience
Cloud Identity Protection

Cloud Control Plane Protection

Cloud Posture Improvement

Risk Management
Critical Infrastructure Risk

OT Environment Risk

Remote Workforce Risk

See all use cases

Hybrid Attack Types
Account Takeover

Advanced Persistant Threats

Data Breach

Ransomware

Supply Chain Attacks

Nation State Attacks

Emerging Attacks Methods
Zero-day exploit

Spear Phishing

MFA Bypass

Live off the Land

Credential Stuffing

Industries

Banking and Finance

Critical National Infrastructure

Government/Federal

Telecom

Manufacturing

Pharmaceuticals

Energy & Utilities

Healthcare

Higher Education

Real Estate

Retail & Wholesale

Customers

Support Hub
Knowledge Center

Product Releases

Professional Services
Managed Detection & Response Services

Customer Stories

Webinar: Vectra AI Managed XDR
See how Vectra Managed Extended Detection and Response (MXDR) integrates with
cutting-edge XDR signal technology and EDR solutions.
Register now


--------------------------------------------------------------------------------

Customer login

Research & Insights

Research

Expert insights from Vectra AI data scientists, product engineers and security
researchers empower your SOC analysts to make faster, smarter decisions.
Threat Briefings

Up-level your SOC with insights from security experts at Vectra AI, based on
real-world experiences defending hybrid enterprise environments.
Attack Labs

Join our security researchers, data scientists, and analysts as we share 11+
years of security-AI research and expertise with the global cybersecurity
community.
See the Vectra AI Platform in action.
See how integrated signal from Vectra AI lets you see and stop sophisticated
attacks other technologies miss.
Take the interactive tour

Resources

Blog

Breaking news and expert insights
Events & Webinars

Blue Team Workshops, on-demand webinars and global events near you
Attack Labs

Join our security researchers, data scientists, and analysts as we share 11+
years of security-AI research and expertise with the global cybersecurity
community.
Resource Center

Research reports, attack anatomies, white papers, guides, datasheets and
customer stories
Demo Videos & Tours
Vectra AI Platform Video Demo

Vectra AI Platform Tour

Stop a hybrid attack tour

Stop a ransomware tour

Stop an AWS attack tour

See all self-guided tours

See the Vectra AI Platform in action.
See how integrated signal from Vectra AI lets you see and stop sophisticated
attacks other technologies miss.
Take the interactive tour

Partners

Find a Partner
Technology partners

All Partners

Become a Partner
Overview

Service Providers

Resellers and Distributors


--------------------------------------------------------------------------------

Partner portal login

Company

About Us

See why we’re the world leader in AI security
Leadership

Board of Directors

Investors

Media Coverage

Contact Us

Request an intro with a Vectra AI security expert
Support

Deployment guides, knowledge base, release notes and security announcements
Careers

Join the team behind the world’s first AI-based cybersecurity platform
News releases

Breaking news from Vectra AI
Vectra AI Blog

Expert insight from security researchers, data scientists and engineers
Media Room

Vectra AI Named Leader in NDR by SOC Teams
Vectra AI has been recognized by GigaOM and peer recognized in Gartner Peer
Insights Report (separately through their own decision processes) for Vectra ND
Read more

Contact Us
See a Demo
Search bar icon
English

Français
Deutsch
日本語
Español
Italiano
Türkçe
Vectra AI Logo
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Platform

Customers

Research & Insights

Resources

Partners

Company

English
Dropdown icon
Français
Deutsch
日本語
Español
Italiano
Türkçe
Log in
See a Demo
Back
Platform
The integrated signal for extended detection and response (XDR). Detect –
Prioritize – Investigate – Respond
Network (NDR)
Identity (ITDR)
Cloud
M365

&
Copilot

Managed Services (MXDR/MDR)
See our Integrations
Our AI
Arm your security analysts with intel to stop attacks fast. Attack Signal
Intelligence analyzes in real-time to show where you’re compromised right now.
Use Cases

Attack Types

Emerging Attack Methods

Industries

Back / Platform
Use Cases
SOC Modernization
SIEM Optimization
IDS replacement
EDR Extension
Cyber Resilience
Cloud Identity Protection
Cloud Control Plane Protection
Cloud Posture Improvement
Risk Management
Critical Infrastructure Risk
OT Environment Risk
Remote Workforce Risk
See all use cases

Attack Types
Account Takeover
Advanced Persistant Threats
Data Breach
Ransomware
Supply Chain Attacks
Nation State Attacks
Emerging Attack Methods
Zero-Day Exploit
Spear Phishing
MFA Bypass
Living off the Land
Credential Stuffing
Industries
Banking and Finance
Critical National Infrastructure
Government/Federal
Telecom
Manufacturing
Pharmaceuticals
Energy & Utilities
Healthcare
Higher Education
Real Estate
Retail & Wholesale
Back
Customer Stories

Support Hub
Knowledge Center
Product Releases
Professional Services
Managed Detection & Response Services
Research
Expert insights from Vectra AI data scientists, product engineers and security
researchers empower your SOC analysts to make faster, smarter decisions.
Threat Briefings
Up-level your SOC with insights from security experts at Vectra AI, based on
real-world experiences defending hybrid enterprise environments.
Attack Labs
Join our security researchers, data scientists, and analysts as we share 11+
years of security-AI research and expertise with the global cybersecurity
community.
Resources
Blog
Events & Webinars
Attack Labs
Resource Center
Demo Videos & Tours
Vectra AI Platform Video Demo
Vectra AI Platform Tour
Stop a hybrid attack tour
Stop a ransomware tour
Stop an AWS attack tour
See all self-guided tours

Find a Partner
Technology partners

All Partners

Become a Partner
Overview
Service Providers
Resellers and Distributors
About Us
See why we’re the world leader in AI security
Leadership
Board of Directors
Investors
Media Coverage
Contact Us

Support

Careers

News releases

Vectra AI Blog

Media Room


Threat actors
>
Ransomware Group


CICADA3301

Cicada3301 is a ransomware-as-a-service (RaaS) operation, emerging in 2024 and
based on ALPHV/BlackCat ransomware.

Detect Cicada3301's TTPs


Background
Targets
TTPs
Detection
FAQs
Watch Threat Briefing



THE ORIGIN OF CICADA3301

The Cicada3301 ransomware operation takes its name and logo from the infamous
2012-2014 internet puzzle known as Cicada 3301, which involved complex
cryptographic challenges. However, the current ransomware-as-a-service (RaaS)
operation has no connection to the original puzzle. The legitimate Cicada 3301
organization has publicly denounced the criminal operation.

The ransomware campaign began actively recruiting affiliates on June 29, 2024,
through the RAMP cybercrime forum. It shares significant similarities with the
ALPHV/BlackCat ransomware, suggesting a potential rebrand or a splinter group
using the same codebase.



Targets


CICADA3301'S TARGETS


COUNTRIES TARGETED BY CICADA3301

Cicada predominantly targets businesses in North America and the UK, but some
recent victims are located in Switzerland and Norway.




INDUSTRIES TARGETED BY CICADA3301

Cicada3301 targets small and mid-sized businesses, focusing on SMBs,
particularly those with enterprise environments using VMware ESXi. It’s
strategically designed to maximize damage by disrupting virtual machine
operations and removing recovery options.Victims span various sectors, including
manufacturing, healthcare, retail, and hospitality.




INDUSTRIES TARGETED BY CICADA3301

Cicada3301 targets small and mid-sized businesses, focusing on SMBs,
particularly those with enterprise environments using VMware ESXi. It’s
strategically designed to maximize damage by disrupting virtual machine
operations and removing recovery options.Victims span various sectors, including
manufacturing, healthcare, retail, and hospitality.


CICADA3301'S VICTIMS

As of now, 26 victims have been publicly listed on the Cicada3301 extortion
site. The ransomware targets enterprises with high-value assets and critical
infrastructure, ensuring maximum pressure on victims to pay the ransom.

Source: ransomware.live


Attack Method


CICADA3301'S ATTACK METHOD

Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Execution
Exfiltration
Impact

Cicada3301 gains access through stolen or brute-forced credentials, potentially
using the Brutus botnet for VPN brute-forcing across Cisco, Fortinet, Palo Alto,
and SonicWall devices.

The ransomware uses valid credentials to escalate privileges, often bypassing
security systems through command line tools like PSEXEC.

Uses a sleep function to delay execution, tampering with EDR solutions, and
deleting shadow copies to inhibit recovery.

Integrated credential theft techniques are used for further network
infiltration, leveraging brute-forced or stolen passwords.

Scans the network for file types and virtual machines, shutting down or deleting
snapshots for optimal encryption impact.

Utilizes compromised credentials and tools like PSEXEC for spreading across the
network.

Collects documents and media files based on specific extensions before
initiating encryption.

Encrypts files using the ChaCha20 algorithm, applying intermittent encryption
for larger files, and appending a seven-character extension.

No current evidence suggests data exfiltration is a priority, but future
capabilities cannot be ruled out.

Maximizes disruption by encrypting critical files, shutting down VMs, and
deleting recovery snapshots.

Initial Access

Cicada3301 gains access through stolen or brute-forced credentials, potentially
using the Brutus botnet for VPN brute-forcing across Cisco, Fortinet, Palo Alto,
and SonicWall devices.

Privilege Escalation

The ransomware uses valid credentials to escalate privileges, often bypassing
security systems through command line tools like PSEXEC.

Defense Evasion

Uses a sleep function to delay execution, tampering with EDR solutions, and
deleting shadow copies to inhibit recovery.

Credential Access

Integrated credential theft techniques are used for further network
infiltration, leveraging brute-forced or stolen passwords.

Discovery

Scans the network for file types and virtual machines, shutting down or deleting
snapshots for optimal encryption impact.

Lateral Movement

Utilizes compromised credentials and tools like PSEXEC for spreading across the
network.

Collection

Collects documents and media files based on specific extensions before
initiating encryption.

Execution

Encrypts files using the ChaCha20 algorithm, applying intermittent encryption
for larger files, and appending a seven-character extension.

Exfiltration

No current evidence suggests data exfiltration is a priority, but future
capabilities cannot be ruled out.

Impact

Maximizes disruption by encrypting critical files, shutting down VMs, and
deleting recovery snapshots.

MITRE ATT&CK Mapping


TTPS USED BY CICADA3301


TA0001: Initial Access
No items found.
TA0002: Execution
No items found.
TA0003: Persistence
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1218
System Binary Proxy Execution
T1027
Obfuscated Files or Information
T1562
Impair Defenses
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
No items found.
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
T1105
Ingress Tool Transfer
TA0010: Exfiltration
No items found.
TA0040: Impact
T1490
Inhibit System Recovery
Platform Detections


HOW TO DETECT CICADA3301 WITH VECTRA AI



EXTERNAL REMOTE ACCESS

KERBEROS BRUTE-SWEEP

M365 SUSPECT EDISCOVERY USAGE

M365 SUSPICIOUS POWER AUTOMATE FLOW CREATION

MALWARE UPDATE

PRIVILEGE ANOMALY: UNUSUAL ACCOUNT ON HOST

View more detections

Assess your attack exposure



FAQS


WHAT IS CICADA3301 RANSOMWARE?

Cicada3301 is a Rust-based ransomware strain that targets small and medium-sized
businesses (SMBs), encrypting data and disrupting business operations by making
systems unusable.




HOW DOES CICADA3301 GAIN INITIAL ACCESS?

The ransomware typically exploits vulnerabilities within networks and uses
compromised credentials to establish an initial foothold, often through
opportunistic attacks.




WHAT ENCRYPTION METHOD DOES IT USE?

Cicada3301 employs RSA encryption with OAEP padding, ensuring that encrypted
files are highly secure and difficult to decrypt without the proper key.




HOW DOES CICADA3301 EVADE DETECTION?

Cicada3301 uses advanced techniques to bypass detection, including the use of
tools like EDRSandBlast to disable Endpoint Detection and Response (EDR) systems
and shadow copy deletion to prevent recovery.




WHICH INDUSTRIES ARE MOST AFFECTED BY CICADA3301?

While Cicada3301 primarily targets SMBs, businesses across various sectors are
vulnerable, especially those with weak cybersecurity postures.




WHAT TECHNIQUES DOES CICADA3301 USE TO DISABLE RECOVERY?

Cicada3301 disables system recovery options by deleting shadow copies using
"vssadmin" commands and tampering with recovery settings through the "bcdedit"
utility.




DOES CICADA3301 EXFILTRATE DATA?

While the ransomware’s primary goal is encryption, the infrastructure it uses
suggests that it may have the potential to exfiltrate data in future campaigns.




HOW CAN CICADA3301 RANSOMWARE BE DETECTED?

Advanced network detection and response tools, like those provided by Vectra AI,
can detect unusual network behaviors, compromised credentials, and lateral
movement, allowing early identification of threats like Cicada3301 before they
cause damage.




WHAT SHOULD I DO IF I DETECT CICADA3301 IN MY ENVIRONMENT?

Immediate steps should include isolating the affected systems and working with
cybersecurity experts. Solutions like the Vectra AI Platform offer real-time
detection, automated responses, and post-incident forensic analysis to quickly
mitigate ransomware threats.




HOW CAN I PROTECT AGAINST CICADA3301 RANSOMWARE?

Proactive defense strategies, such as the Vectra AI Platform, provide continuous
network monitoring, AI-driven threat detection, and early-stage identification
of ransomware activities. This includes detecting privilege escalation, lateral
movement, and attempts to disable defenses, ensuring ransomware is stopped
before it can cause significant damage.




IS YOUR ORGANIZATION SAFE FROM CICADA3301 ATTACKS?

Assess your attack exposure

Platform
Public CloudSaaSIdentityNetworkEndpoint
Managed Extended Detection & Response Services
See our Integrations

Our AI
Vectra AI Detections

Product in Action
Vectra AI Platform Video DemoVectra AI Platform TourStop a hybrid attack
tourStop a ransomware tourStop an AWS attack tour
Use Cases
SOC Modernization
EDR ExtensionIDS ReplacementPCAP ReplacementSIEM Optimization
Signature + AI-driven Detection
Cyber Resilience
Cloud Identity ProtectionCloud Control Plane Protection
Cloud Posture Improvement
Risk Management
OT Environment RiskCritical Infrastructure Risk
Remote Workforce Risk
See all Use Cases

Hybrid Attack Types
Account TakeoverAdvanced Persistent ThreatsData BreachNation State
AttacksRansomware
Supply Chain Attacks
Hybrid Attacks Progressions
Zero-day ExploitSpear PhishingMFA BypassCredential StuffingSunburst
Living off the Land
Industries
Critical National InfrastructureEnergy &
UtilitiesFinanceGovernment/FederalHealthcareHigher
EducationManufacturingPharmaceutical & medicalReal EstateRetail & Wholesale
Telecom
Vectra AI Topics

Customers
Customer Stories
Support Hub
Knowledge Center
Product Releases
Professional Services
Managed Extended Detection & Response Services
Research & Insights
Threat Actors

Resources
BlogResource CenterEvents and Webinars
Partners
Become a PartnerPartner OverviewMSSPsTechnology Partners
VARs & Distributors
Partner Portal Login

Company
About UsLeadershipBoard of DirectorsInvestorsNews ReleasesBlog
Careers
Contact Us
support@vectra.ai
Headquarters
550 S. Winchester Blvd.
Suite 200
San Jose, CA, USA 95128
Vectra AI's LinkedIn Profile
Vectra AI's X Profile
Vectra AI's Facebook Profile
Vectra AI's YouTube Channel
Vectra AI's Instagram Profile
Vectra AI's Reddit Profile
Vectra AI's GitHub Profile
Vectra AI's Blog RSS Feed
Data Processing AgreementTerms of ServiceTerms of UseTrademarksTrust
CenterPrivacy PolicyVectra Ethics Hotline
© 2024 Vectra AI, Inc. All rights reserved.
English
Deutsch
Español
Français
Italiano
日本語
Türkçe




English

German

Spanish

Italian

Turkish

French

Japanese
×
This website uses cookies
This website uses cookies to improve user experience. By using our website you
consent to all cookies in accordance with our Cookie Policy. Read our Privacy
Policy.
Save & Close
Accept all
Decline all
Show details Hide details