CosmicBeetle’s New Ransomware: ScRansom

Introduction

CosmicBeetle, a cybercriminal group, has developed a new strain of ransomware known as ScRansom. This malware is being used to target small and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. Some analysts believe that CosmicBeetle might be linked to RansomHub.

You might be interested in: Quad7 Botnet Targets More Routers and VPNs

ScRansom Replaces Scarab

ESET analyst Jakub Souček recently revealed that CosmicBeetle has transitioned from their previous ransomware, Scarab, to ScRansom. The group continues to refine ScRansom, making it more effective, even if it’s not the most advanced malware out there. Despite this, they’ve managed to compromise notable targets.

A Wide Range of Victims

The ScRansom attacks have affected a variety of industries, including:

• Manufacturing
• Pharmaceuticals
• Law
• Education
• Healthcare
• Technology
• Hospitality
• Entertainment
• Financial services
• Regional governments

CosmicBeetle’s Past

CosmicBeetle is infamous for their Spacecolon malware, which was previously used to spread the Scarab ransomware globally. The group’s leader, also known as NONAME, has been experimenting with LockBit’s stolen code to impersonate the well-known ransomware group in their ransom notes and on their leak site since late 2023.

Who is Behind the Attacks?

At this time, it’s unclear who is behind CosmicBeetle’s operations or where they are based. Initially, it was speculated that the group might be from Turkey due to a custom encryption method used in a different tool called ScHackTool. However, ESET believes this connection no longer holds.

Hacking Tools and Tactics

CosmicBeetle has used several known vulnerabilities to gain access to their targets, including CVE-2017-0144 and CVE-2023-27532. Once inside, they deploy tools like Reaper and Darkside to disable security systems before launching ScRansom. This ransomware is designed to quickly encrypt files and even has an option to overwrite them, making recovery impossible.

Possible Link to RansomHub

Researchers have found that both ScRansom and RansomHub ransomware were deployed on the same computer within a short time frame, raising suspicions of a possible connection between the two groups.

Cicada3301’s New Encryption Tool

In other ransomware news, Cicada3301 (also known as Repellent Scorpius) has released a new version of their ransomware encryptor, which includes an option to avoid creating ransom notes. This version also no longer stores usernames and passwords within the code, although it can still run PsExec with existing credentials.

Evolution of POORTRY: A New EDR Disabler

A malware called POORTRY has evolved into an effective tool for disabling Endpoint Detection and Response (EDR) software. This malicious software uses a vulnerable driver to get around security protections and disable critical security processes. POORTRY has been used by multiple ransomware groups, including BlackCat and LockBit.

Conclusion

Cybercriminals like CosmicBeetle and Cicada3301 continue to evolve their tactics, constantly finding new ways to bypass security systems and hold data hostage. While their methods may not always be the most sophisticated, the persistence and creativity of these groups make them a serious threat to businesses worldwide. As security experts continue to track and analyze these attacks, businesses must remain vigilant and take proactive steps to protect their networks.