In September 2024, ESET researchers published a report on the renewed activity of the CosmicBeetle ransomware group. Active since 2020, this group is back with a new campaign targeting small and medium-sized enterprises (SMEs) across Europe and Asia. Their weapon? A ransomware named ScRansom, which takes advantage of unpatched security flaws to encrypt victims’ data and extort money from them. Although not yet at the peak of sophistication, this malware is nevertheless causing considerable damage. Initially based on tools from the leaked LockBit code, CosmicBeetle may now be affiliated with RansomHub, a fast-growing ransomware-as-a-service (RaaS) network, according to ESET .
CosmicBeetle: a ransomware gang active since 2020
Since its inception in 2020, CosmicBeetle has made its mark on the cybercrime landscape with bold attacks. This malicious group first made a name for itself using tools based on the famous LockBit ransomware, a code widely used in extortion attacks. Taking advantage of a LockBit source code leak on the dark web, CosmicBeetle recovered and modified these tools to create its own attacks.
The gang then evolved to develop its own malware. It was in this context that they deployed ScRansom, a customized ransomware that now targets several sectors, including healthcare, education, technology and even local government institutions. According to ESET’s recent study, CosmicBeetle has most likely teamed up with RansomHub, a ransomware-as-a-service service, to bolster its arsenal. ESET researcher Jakub Souček says he recently investigated “an interesting case that leads us to believe CosmicBeetle could be a new affiliate of RansomHub. “.
ScRansom: a ransomware in constant evolution
ScRansom is not yet considered one of the most sophisticated ransomwares, but it is constantly improving. Designed in Delphi, this ransomware has the ability to partially encrypt files, speeding up the attack process while increasing the chances that the victim will pay to unlock their data. This ransomware relies on a series of tools grouped under the Spacecolon name, including ScHackTool, ScInstaller, ScService and ScPatcher, each designed to maximize data infiltration and encryption. The use of the IPWorks library for encryption enhances the effectiveness of attacks, but the decryption process remains imperfect. According to ESET telemetry, several decryption keys may be required, and even then, some files are irreparably corrupted. CosmicBeetle has compensated for its immaturity by imitating LockBit, hoping to mislead victims and increase the chances of payment.
“ScRansom victims who decide to pay should be cautious. Although the decryptor itself works as expected (at the time of writing), multiple decryption keys are often required and some files may be permanently lost, depending on how CosmicBeetle proceeded during encryption.” say ESET researchers
CosmicBeetle has replaced its previous ransomware, Scarab, with ScRansom, in an ongoing effort to improve. The group is taking advantage of the leaked LockBit builder to impersonate this notorious gang. Researchers have observed this impersonation in ransom notes, but also on dedicated leak sites. In reality, these attempts to create a credible identity mask a certain technical immaturity on the part of the group. However, even if their ransomware doesn’t reach the level of sophistication of its competitors, SMEs remain vulnerable to these repeated cyberattacks, especially when faced with irrecoverable losses, despite payment of the ransom. And as misfortune never comes alone, ScRansom is equipped with a special mode called “ERASE”, which renders certain files irrecoverable, even after payment.
Unpatched vulnerabilities and brute force: the CosmicBeetle method
To infiltrate systems, CosmicBeetle relies mainly on two methods: exploitation of unpatched vulnerabilities and brute force attacks. The brute force principle consists of testing thousands of password combinations until the one that will unlock access to a system is found. This type of attack is particularly effective against SMEs, which are often less well protected than large corporations.
CosmicBeetle attacks often use well-known security vulnerabilities, such as CVE-2023-27532 , a vulnerability in a Veeam backup and replication component that is also exploited by EstateRansomware (for more details, see our dedicated article). These vulnerabilities, although already corrected by updates, remain an open door for hackers when not patched by the companies concerned. CosmicBeetle specifically targets SMEs that do not maintain a rigorous patch management process.
According to ESET the following vulnerabilities are exploited:
- CVE-2017-0144 (aka EternalBlue),
- CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component),
- CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac,
- CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and
- CVE-2020-1472 (aka Zerologon).
Companies that fall victim to ScRansom are then faced with a dilemma: pay the ransom demanded or risk losing their data for good. However, even in cases where a ransom is paid, the decryption process is far from reliable. ESET reports that the key provided by hackers malfunctions in some cases, resulting in the permanent loss of data. Decryption, when possible, is often lengthy and complex, another factor deterring payment.
A wide range of sectors targeted
The sectors affected by ScRansom are varied. Researchers have identified victims in manufacturing, education, healthcare, financial services, technology, hospitality and even local government. In France, some SMEs have been directly targeted, with cyberattacks affecting companies of various sizes. The malware makes no distinction: any organization neglecting its cybersecurity is potential prey.
CosmicBeetle and RansomHub: a strategic alliance
The link-up between CosmicBeetle and RansomHub marks an important step in their strategy. RansomHub, a ransomware-as-a-service (RaaS) network, enables other cybercrime players to “rent” ransomware to carry out their own attacks. CosmicBeetle was thus able to take advantage of RansomHub resources such as the EDR killer to intensify its offensives. To find out more about the EDR killer concept, read our article on RansomHub.
“To our knowledge, there are no public leaks of RansomHub’s code or its designer (although RansomHub itself is probably based on code purchased from Knight, another ransomware gang). Therefore, we believe with medium confidence that CosmicBeetle has signed up as a new RansomHub affiliate.” reads ESET’s study.
ScRansom: complex encryption and uncertain recovery
CosmicBeetle’s ScRansom ransomware uses a complex encryption scheme, while suffering from a certain immaturity in its development that often results in irreversible data loss.
The process generates an AES-CTR-128 key (ProtectionKey) and an RSA-1024 key pair (RunKeyPair) for each encryption session. A file then contains various encrypted information, including the file’s encryption key (FileKey) and details of the encrypted blocks.
ScRansom uses partial encryption – only certain parts of the file are encrypted. The encryption method supports several encryption modes (FAST, FASTEST, SLOW, FULL and ERASE.), the most dangerous being ERASE, which replaces portions of files with constant values, rendering them unrecoverable. Even when the ransom is paid, the decryption process is often chaotic: each Decryption ID requires a separate ProtectionKey, which complicates complete data recovery.
ERASE mode poses a particular risk, making data recovery impossible, even if the ransom is paid. One victim had to manage 31 different decryption IDs, requiring as many protection keys. Despite this, not all files could be restored, underlining ScRansom’s inefficiency and amateurism.
“This decryption approach is typical of an immature ransomware threat actor.Seasoned gangs prefer their decryption process to be as simple as possible in order to increase the chances of a correct decryption, which enhances their reputation and increases the likelihood that victims will pay. Typically (as in the case of the LockBit Black builder leak), a decryptor is built at the same time as an encryptor. When distributed to the victim, no additional effort on the part of the user is required, as the key is already contained in the binary. What’s more, a single key is enough to decrypt all encrypted files, regardless of where they are located in the victim’s network,” writes Jakub Souček in his analysis.
We recommend that you consult the ESET researchers’ study for more technical details.
In the latest episode of the ESET Research podcast, published on October 24, 2024, Jakub Souček, senior malware researcher, analyzes CosmicBeetle’s tools and tactics in detail. Don’t miss this discussion (in English) of their unorthodox yet formidable methods.
How to protect yourself against ScRansom?
Faced with the threat of ScRansom, it’s essential that businesses, especially SMEs, adopt a proactive cybersecurity strategy. This includes:
- Updating software regularly: immediately apply security patches provided by software vendors to prevent vulnerabilities from being exploited.
- Reinforce pass words: opt for complex passwords and activate two-factor authentication (2FA).
- Back up data: as a minimum, adopt the 3-2-1 rule for backup (3 copies of your data, on 2 different media, and 1 copy off-site).
- Raise employee awareness: regular training in cybersecurity best practices can make all the difference.
In this respect, we strongly advise you to take note of the advice given by the ImpactCyber cyber-attack awareness campaign launched at the beginning of October for VSEs and SMEs.
Source: CosmicBeetle steps up: Probation period at RansomHub (ESET)
