Capital Printing Hit by Cicada 3301 Ransomware Attack

Incident Date:

September 20, 2024

World map

Overview

Title

Capital Printing Hit by Cicada 3301 Ransomware Attack

Victim

Capital Printing

Attacker

Cicada 3301

Location

Austin, USA

Texas, USA

First Reported

September 20, 2024

Ransomware Attack on Capital Printing by Cicada 3301

Capital Printing, a well-established printing services company based in Austin, Texas, has recently fallen victim to a ransomware attack orchestrated by the notorious group Cicada 3301. The attackers have exfiltrated 5TB of sensitive data, including client information, work projects, accounting records, banking documents, and human resources files. The perpetrators have issued an ultimatum, demanding that Capital Printing contact them by September 22, 18:00 UTC to prevent the public release of the stolen data.

About Capital Printing

Founded in 1929, Capital Printing is the longest-operating commercial printing company in Austin, Texas. The company employs approximately 86 individuals and reported an annual revenue of about $18.8 million. Capital Printing specializes in a variety of printing services, including offset printing, digital printing, wide format printing, and mailing services. Their commitment to quality and customer satisfaction has made them a trusted partner for businesses of all sizes in Central Texas and beyond.

Attack Overview

The ransomware group Cicada 3301 has claimed responsibility for the attack, alleging that their actions are intended to hold Capital Printing accountable to its stated values of client respect and business integrity. The attackers have also accused the company of engaging in fraudulent activities involving insurance claims and neglecting the interests of its employees and clients, providing purported evidence in the form of screenshots.

About Cicada 3301

Cicada 3301 is a newly emerged Ransomware-as-a-Service (RaaS) and data broker group that first gained attention in June 2024. Unlike traditional ransomware groups, Cicada 3301 focuses on exfiltrating and selling sensitive data rather than employing traditional ransomware tactics. The group operates using a double-extortion model, threatening to release stolen data if demands aren’t met. They are distributed by a RaaS group called Repellent Scorpius and may have teamed up with operators of the Brutus botnet for initial network access.

Penetration and Vulnerabilities

Cicada 3301 employs sophisticated techniques to penetrate systems, including phishing campaigns, brute-forcing VPN credentials using the Brutus botnet, and exploiting vulnerabilities in Cisco, Fortinet, and SonicWall appliances. Once inside, they use tools like PsExec for lateral movement and RClone for data exfiltration. Capital Printing, like many small to medium-sized businesses, may have been targeted due to potentially weaker cybersecurity defenses and the valuable data they hold.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.