Operator dossier

Cicada3301 is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 75 public victims claimed by this operator between June 20, 2024 and September 4, 2025. Cicada3301 is a recently emerged ransomware group that began operations in June 2024, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available regarding their operational structure or potential connections to other cybercriminal organizations. Based on observed targeting patterns, Cicada3301 has demonstrated a preference for attacking business services, technology, manufacturing, and financial sector organizations, with their operations concentrated primarily in English-speaking countries including the United States, United Kingdom, and Canada, as well as extending to Spain and Singapore. The group has successfully compromised approximately 75 known victims since their emergence, though specific details regarding their attack methodologies, initial access vectors, encryption techniques, and extortion tactics have not been extensively documented in publicly available threat intelligence reports from major cybersecurity firms or government agencies. Given the limited public documentation available from CISA, FBI, Mandiant, or other reputable security researchers, the group's current operational status, technical capabilities, and specific attack infrastructure remain largely uncharacterized in open-source intelligence reporting. As of the most recent observations, Cicada3301 appears to remain active in conducting ransomware operations, though comprehensive analysis of their tactics, techniques, and procedures awaits more detailed public reporting from established threat intelligence sources.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Cicada3301

75 victims indexed · first seen 2 years ago · last activity 9 months ago

Victims indexed

#83 of 348 tracked operators

1y 3m

Active period

Jun 2024 → Sep 2025

Countries hit

top United States · 37

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 9 months ago
Onion sites: 1 known endpoint
Primary sector: Business Services · 20 hits

About

Cicada3301 is a recently emerged ransomware group that began operations in June 2024, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available regarding their operational structure or potential connections to other cybercriminal organizations. Based on observed targeting patterns, Cicada3301 has demonstrated a preference for attacking business services, technology, manufacturing, and financial sector organizations, with their operations concentrated primarily in English-speaking countries including the United States, United Kingdom, and Canada, as well as extending to Spain and Singapore. The group has successfully compromised approximately 75 known victims since their emergence, though specific details regarding their attack methodologies, initial access vectors, encryption techniques, and extortion tactics have not been extensively documented in publicly available threat intelligence reports from major cybersecurity firms or government agencies. Given the limited public documentation available from CISA, FBI, Mandiant, or other reputable security researchers, the group's current operational status, technical capabilities, and specific attack infrastructure remain largely uncharacterized in open-source intelligence reporting. As of the most recent observations, Cicada3301 appears to remain active in conducting ransomware operations, though comprehensive analysis of their tactics, techniques, and procedures awaits more detailed public reporting from established threat intelligence sources.

References

8 links

External sources curated by the MISP threat-intel community.

Timeline

12 months

2024-06-01T00:00:00+00:002025-09-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇬🇧 United Kingdom

🇨🇦 Canada

🇪🇸 Spain

🇸🇬 Singapore

🇧🇷 Brazil

🇫🇷 France

🇯🇵 Japan

United States dossier →United Kingdom dossier →Canada dossier →Spain dossier →

Top sectors

Business Services

Not Found

Technology

Manufacturing

Financial

Hospitality and Tourism

Transportation/Logistics

Healthcare

Business Services dossier →Not Found dossier →Technology dossier →Manufacturing dossier →

MITRE ATT&CK

46 techniques · 12 tactics

Tactics

CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

T1003.002Security Account Manager
T1003.003NTDS
T1003.004LSA Secrets
T1005Data from Local System
T1016System Network Configuration Discovery
T1018Remote System Discovery
T1021.001Remote Desktop Protocol
T1021.004SSH
T1027.013Encrypted/Encoded File
T1036Masquerading
T1036.003Rename Legitimate Utilities
T1036.005Match Legitimate Resource Name or Location
T1039Data from Network Shared Drive
T1046Network Service Discovery
T1047Windows Management Instrumentation
T1049System Network Connections Discovery
T1053.005Scheduled Task
T1055.012Process Hollowing
T1056.001Keylogging
T1059.001PowerShell
T1059.003Windows Command Shell
T1070.003Clear Command History
T1070.004File Deletion
T1074.001Local Data Staging
T1074.002Remote Data Staging
T1078Valid Accounts
T1083File and Directory Discovery
T1087.002Domain Account
T1090.002External Proxy
T1105Ingress Tool Transfer
T1106Native API
T1119Automated Collection
T1140Deobfuscate/Decode Files or Information
T1190Exploit Public-Facing Application
T1199Trusted Relationship
T1204.002Malicious File
T1210Exploitation of Remote Services
T1218.004InstallUtil
T1553.002Code Signing
T1560Archive Collected Data
T1560.001Archive via Utility
T1566.001Spearphishing Attachment
T1568.001Fast Flux DNS
T1574.001DLL
T1583.001Domains
T1588.002Tool

Recent victims

Loading…

Onion infrastructure

1 known

http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion

Source

Updated 9 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.