CosmicBeetle Launches Custom ScRansom Ransomware in SMB Attacks, Partners with RansomHub

The CosmicBeetle threat group has escalated its activities with the deployment of a new ransomware strain called ScRansom, targeting small- and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. This group, known for previously using Scarab ransomware, is now also likely working as an affiliate of RansomHub.

New Ransomware Strain – ScRansom:

    • CosmicBeetle has replaced its Scarab ransomware with the newly developed ScRansom, which undergoes continuous improvements.
    • The ransomware targets sectors like manufacturing, healthcare, education, financial services, technology, pharmaceuticals, and more.
    • Notable features of ScRansom include partial encryption to accelerate attacks and an "ERASE" mode that overwrites files, making them unrecoverable.

Exploiting Vulnerabilities:

    • The attack chains take advantage of brute-force attacks and multiple known vulnerabilities such as CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, among others.
    • Tools like Reaper, Darkside, and RealBlindingEDR are utilized to disable security systems and evade detection before deploying the ransomware.

Link to RansomHub:

    • Evidence suggests CosmicBeetle’s affiliation with RansomHub, as both groups' payloads were observed on the same compromised systems within a short time frame.
    • CosmicBeetle appears to be leveraging LockBit’s reputation to increase ransom payments by disguising themselves as a more established ransomware group.

EDR Wiper Tools:

    • CosmicBeetle employs the BURNTCIGAR (also known as POORTRY) driver, a signed Windows driver used to disable Endpoint Detection and Response (EDR) systems.
    • RansomHub uses tools like EDRKillShifter and legitimate software like Kaspersky’s TDSSKiller to neutralize EDR services and deepen their system control.

Affiliation Speculations:

    • While previous reports linked CosmicBeetle to Turkey, the attribution is now questioned. Some believe this ransomware group might be state-sponsored due to the use of sophisticated tools and wide-reaching attacks.

CosmicBeetle's strategic shift from Scarab to ScRansom and their evolving tactics with RansomHub underscore the rising threat SMBs face from increasingly sophisticated ransomware actors. Staying vigilant against these evolving threats by regularly updating security patches and employing robust endpoint security is crucial to mitigating potential risks.

Net Protector advises all businesses to implement NPAV Endpoint Security to protect against these types of ransomware threats.