A new report out today from Palo Alto Networks Inc.’s Unit 42 details a new ransomware-as-a-service group with a multi-extortion operation that’s actively recruiting new affiliates.
Called “Repellent Scorpius,” the RaaS group first emerged in May and distributed Cicada3301 ransomware. Ransomware-as-a-service is a common model in the ransomware world where creators lease out it to affiliates, who then use it to carry out attacks in exchange for a share of the profits from successful payments.
Like Repellent Scorpius, the Cicada3301 ransomware is also relatively new and was detailed by endpoint security firm Morphisec Inc. earlier this month. It’s written in the Rust programming language and named after the Cicada puzzle, a complex, cyber-related problem-solving puzzle. The Morphisec report noted that the identity of the person who designed it is “shrouded in mystery” yet did note that it may have links to the infamous BlackCat ransomware family.
Forward a week and who is behind Cicada3301 is still not clear, but per the report today, we now know who its main distributor is.
The Unit 42 researchers dived deep into the technical aspects of the ransomware and the tactics, techniques and procedures used by the group. Like other groups before it, Repellent Scorpius uses a double-tap attack, one where data is encrypted and stolen. That allows the group to extort victims not only by offering a decryption key but also with the threat that the stolen data will be published if the ransom is not paid.
Interestingly, though, the report finds that Repellent Scorpius’s activities pre-date the emergence of Cicada3301. While Cicada3301 first emerged in the last month or two, Unit 42 estimates that Repellent Scorpius first began their operations in May, with leak site activity first observed in June.
The research also found that the group had data obtained in older compromise incidents, noting that it’s unclear if this means the threat actors have previously operated using differently branded ransomware or if they had inherited data from other ransomware groups.
Where the possible links come full circle, though, is that an IP address used by the group was previously linked to other ransomware groups, notable among them Ambitious Scorpius, which is better known as ALPHN/BlackCat.
The report doesn’t draw any further links between BlackCat and Repellent Scorpius, but it’s perhaps more than coincidence that the groups have shared an IP address in attacks, given the previous report from Morphisec pointing to Cicada3301 possibly having links to BlackCat.
Connecting some dots, it’s possible that those behind Repellent Scorpius were previously involved with or linked to BlackCat, as new spinoffs and splinter groups are common in the ransomware world.
Whoever is behind the Repellent Scorpius and Cicada3301, a core takeaway from the report is a warning that the researchers believe that there will likely be an increase in future attacks from the group, since it’s actively recruiting affiliates and initial access brokers. “We can expect to see attackers posting a growing list of active incidents and victims on their leak site in the near future,” the researchers conclude.