A cybercriminal group known as “CosmicBeetle” has been preying on small businesses in Turkey, Spain, India, and South Africa by exploiting vulnerabilities in their technologies to install ransomware. This group, which operates with a “low level of sophistication,” is behind the development of ransomware that has been described as having a “rather chaotic encryption scheme” by Slovakian cybersecurity firm ESET.
According to analysis by ESET, CosmicBeetle has been deploying custom ransomware, known as ScRansom, that is still in active development, with frequent updates and changes. Despite their efforts, the group’s lack of experience in malware development has led to several glitches in their ransomware, affecting victims by causing encryption routines to execute multiple times on infected machines, leading to data recovery failures.
Jakub Souček, a senior malware researcher at ESET, pointed out that while more experienced cybercriminal groups prefer to make the decryption process as straightforward as possible to increase the chances of victims paying the ransom, CosmicBeetle’s rapidly changing ransomware has made the situation more uncertain for victims seeking decryption.
Interestingly, CosmicBeetle has employed two unique strategies in their operations. First, they have tried to imply connections with the well-known LockBit cybercriminal group to build trust with victims. Secondly, they have joined the RansomHub affiliate program and now often install ransomware from that program rather than using their custom malware.
The group targets small and midsize businesses by exploiting older vulnerabilities in software commonly used by these organizations. One such example is the exploitation of vulnerabilities in Veeam Backup & Replication and Microsoft Active Directory, allowing unauthorized access and privilege escalation, respectively.
Although CosmicBeetle is not specifically targeting SMBs, the group’s choice of software for exploitation makes smaller businesses the primary victims. Companies in various industries, including manufacturing, pharmaceuticals, legal, education, and healthcare, have fallen prey to CosmicBeetle’s ransomware attacks.
While Turkey has seen the most victimized organizations, Spain, India, South Africa, and other countries have also been affected by CosmicBeetle. Despite speculation linking the threat actor to a Turkish software developer, ESET remains doubtful of this connection. However, given the higher number of infections in Turkey, the group likely has closer ties to the nation or the region, making it more confident in selecting targets there.
Overall, CosmicBeetle’s opportunistic approach, coupled with their immature skills as ransomware developers, poses a significant threat to small businesses across the globe. It is crucial for organizations to prioritize cybersecurity measures, including timely software updates and patch management, to protect themselves from such cyber threats.