Cicada3301 is a prominent Ransomware-as-a-Service (RaaS) group that emerged in 2024, quickly gaining notoriety for its
sophisticated multi-platform malware and aggressive double-extortion tactics. First appearing on underground forums in
May 2024, the group operates a RaaS model where affiliates conduct attacks in exchange for a share of the profits.
Cicada3301’s ransomware is written in Rust, enabling it to target Windows, Linux, and VMware ESXi systems with equal
ease. Like many modern ransomware operations, it employs double extortion – stealing large volumes of sensitive data
before encrypting victim systems – to maximise leverage for ransom demands.

Early reporting noted that Cicada3301 had claimed more than 20 victims within months of its debut, primarily targeting
organisations in North America and Europe. It has since expanded its footprint considerably. As of mid-2025, 74 victim
organisations have been listed on the group’s dark web data leak site. The gang is named after the famous “Cicada 3301”
cryptographic puzzles from 2012–2014, though there is no actual affiliation with those puzzles beyond the reuse of the
name. In operations, Cicada3301 has distinguished itself through its advanced encryption scheme, rapid affiliate-driven
expansion, and hints of code and personnel overlap with older ransomware groups (notably BlackCat/ALPHV), suggesting
a possible rebranding or collaboration behind the scenes.