.webp "CosmicBeetle Hackers")
ESET researchers have uncovered alarming details about the activities of CosmicBeetle, an emerging ransomware threat actor targeting small and medium-sized businesses (SMBs) globally.
The group, active since at least 2020, has been targeting small and medium-sized businesses (SMBs) across various sectors, primarily in Europe and Asia. The report details CosmicBeetle's transition from using the Scarab ransomware to developing and deploying its own custom ransomware, dubbed ScRansom.
CosmicBeetle's primary weapon, ScRansom, is a Delphi-based malware with a complex encryption scheme.
ESET's analysis reveals that CosmicBeetle has been continuously improving its ransomware capabilities since August 2023. The group's primary targets include SMBs in manufacturing, pharmaceuticals, legal services, education, healthcare, technology, hospitality, financial services, and regional government sectors.
The ransomware uses AES-CTR-128 for file encryption, coupled with an RSA-1024 key pair (RunKeyPair) and a hardcoded RSA public key (MasterKeyPair) for key management.
This sophisticated approach allows the malware to partially encrypt files based on their extensions, append data including a "Decryption ID," and rename files with a ".Encrypted" extension.
One of the most concerning aspects of ScRansom is its five encryption modes: "FAST," "FASTEST," "SLOW," "FULL," and "ERASE."
The last mode is particularly destructive, rendering files completely unrecoverable. This multi-mode approach gives the attackers flexibility in their operations but poses a significant risk to victims' data integrity.
 |
| User interface of ScRansom |
The ransomware's graphical user interface (GUI) sets it apart from typical malware of its kind. This unusual feature includes debug capabilities, allowing the attackers to fine-tune their operations. Additionally, ScRansom terminates specific processes and services on the infected systems, further compromising the victim's network security.
ESET's research reveals that CosmicBeetle has been actively exploiting several vulnerabilities to gain initial access to SMB networks. These include:
- EternalBlue (CVE-2017-0144)
- Zerologon (CVE-2020-1472)
- CVE-2023-27532 (a vulnerability in Veeam Backup & Replication)
- CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities)
- CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN)
The group's targeting of SMBs is strategic, as these organizations often lack robust cybersecurity measures and awareness, making them more susceptible to such attacks.
Researchers have observed CosmicBeetle impersonating the infamous LockBit ransomware gang in an intriguing development. The group has been using LockBit's leaked builder and may have affiliations with another ransomware-as-a-service operation called RansomHub.
This tactic of mimicking established ransomware groups could be an attempt to intimidate victims and increase the likelihood of ransom payments.
The decryption process for ScRansom victims is notably complex and error-prone. Unlike more sophisticated ransomware operations that aim for simpler recovery processes, CosmicBeetle's approach requires victims to collect multiple Decryption IDs from infected machines and obtain corresponding "ProtectionKeys" from the attackers.
This process must be repeated manually on each encrypted device, with the correct ProtectionKey input for each Decryption ID.
Adding to the complexity, instances where ScRansom is executed multiple times on a single machine generate additional IDs, further complicating the recovery process.
In one documented case, a victim with 31 Decryption IDs could not fully recover their data, highlighting the potential for permanent data loss even after ransom payment.
The emergence of groups like CosmicBeetle underscores the evolving nature of the ransomware threat landscape. Their targeting of SMBs serves as a stark reminder of the need for organizations of all sizes to prioritize cybersecurity measures.
Regular security audits, comprehensive incident response plans, and up-to-date patch management are crucial defenses against such threats.
As ransomware groups continue to refine their tactics and target vulnerable sectors, staying informed about emerging threats and maintaining a proactive security posture becomes increasingly vital for businesses worldwide.