The ransomware landscape has taken an intriguing turn with the emergence of CosmicBeetle, a threat actor that has recently swapped out its old ransomware, Scarab, in favor of a new custom-built ransomware called ScRansom. This new ransomware is continuously evolving, keeping cybersecurity experts on their toes.
CosmicBeetle has been actively targeting small and medium-sized businesses (SMBs) globally, employing tactics such as exploiting vulnerabilities to gain unauthorized access to their systems. Notably, the threat actor has been experimenting with the leaked LockBit builder, trying to capitalize on the reputation of the infamous ransomware gang by impersonating them.
Experts with medium confidence suggest that CosmicBeetle may be a new affiliate of RansomHub, a rising ransomware-as-a-service group. RansomHub is relatively new to the ransomware scene but has been making waves by actively targeting SMBs in Europe and Asia with its custom-developed ScRansom.
While ScRansom may not be the most sophisticated ransomware in terms of technical complexity, CosmicBeetle has managed to compromise several high-profile targets due to their unrefined approach and utilization of leaked LockBit tools. ESET telemetry and code analysis have provided strong indications that ScRansom is indeed a new tool developed by CosmicBeetle, with code similarities, overlapping deployments, and shared components pointing to the same conclusion.
Initial attribution to a Turkish software developer was deemed inaccurate, but further investigation revealed that the encryption scheme used in ScHackTool is likely based on an open-source algorithm, strengthening the link between ScRansom and CosmicBeetle. This solidifies the attribution and sheds light on the origins of this new ransomware variant.
CosmicBeetle has been predominantly targeting SMBs across various sectors using tactics like brute-force attacks and exploiting well-known vulnerabilities such as EternalBlue, CVE-2023-27532, AD privilege escalation vulnerabilities, FortiOS SSL-VPN vulnerability, and Zerologon. The group’s victims span a wide range of industries, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional government.
Communication with victims is typically established through email and qTox, a messaging application, with the ransomware itself named NONAME. Interestingly, CosmicBeetle went to great lengths to impersonate the LockBit ransomware group by creating a fake LockBit leak site and using compromised victim data from LockBit. This further solidified their credibility, along with the inclusion of a Turkish ransom note with contact information in their ransomware samples.
ScRansom, the new ransomware developed by CosmicBeetle, employs a sophisticated encryption scheme involving AES and RSA keys to encrypt files across various drives. Victims are required to pay a ransom in exchange for a decryption key to recover their encrypted files. However, the decryption process can be complex and prone to failure due to multiple encryption sessions and potential file destruction.
Despite attempts to leverage the reputation of LockBit and the affiliations with RansomHub, ScRansom remains a complex and risky threat to victims. Ongoing research and analysis by cybersecurity experts will be crucial in understanding the full extent of this evolving ransomware threat and developing effective mitigation strategies.