Thursday, February 20, 2025
HomeCVE/vulnerabilityCosmicBeetle Exploiting Old Vulnerabilities To Attacks SMBs All Over The World

CosmicBeetle Exploiting Old Vulnerabilities To Attacks SMBs All Over The World

Published on

SIEM as a Service

Follow Us on Google News

CosmicBeetle, a threat actor specializing in ransomware, has recently replaced its old ransomware, Scarab, with ScRansom, a custom-built ransomware that continues to evolve. 

The threat actor has been actively targeting SMBs worldwide, exploiting vulnerabilities to gain access to their systems and experimenting with the leaked LockBit builder, attempting to leverage its reputation by impersonating the notorious ransomware gang. 

It is believed, with medium confidence, that CosmicBeetle is a new affiliate of RansomHub, a rising ransomware-as-a-service group, which is a relatively new ransomware actor, and has been actively targeting SMBs in Europe and Asia with its custom-developed ScRansom. 

While ScRansom is not particularly sophisticated, CosmicBeetle has successfully compromised several interesting targets due to their immature approach and the use of leaked LockBit tools. 

ESET telemetry and code analysis strongly suggest ScRansom is a new tool developed by CosmicBeetle. Code similarities, overlapping deployments, and shared components with other CosmicBeetle tools provide compelling evidence. 

While previous attribution to a Turkish software developer was inaccurate, the encryption scheme used in ScHackTool is likely adapted from an open-source algorithm, which further supports the connection between ScRansom and CosmicBeetle, solidifying the attribution.

NONAME dedicated leak site on Tor

CosmicBeetle, a ransomware group, primarily targets SMBs in various sectors using brute-force attacks and exploits known vulnerabilities such as EternalBlue, CVE-2023-27532, AD privilege escalation vulnerabilities, FortiOS SSL-VPN vulnerability, and Zerologon.

The group’s victims include companies in manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional government.

CosmicBeetle communicates with its victims through email and qTox, a messaging application, and uses a custom ransomware named NONAME.

Website mimicking the official LockBit leak site, set up by CosmicBeetle

A less-established ransomware group impersonated the well-known LockBit to enhance their credibility by first creating a fake LockBit leak site with similar design and reused compromised victim data from LockBit.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Later, they even built a ransomware sample using the leaked LockBit builder and included a Turkish ransom note with their contact info. Evidence suggests CosmicBeetle might also be a new affiliate of RansomHub, as their tools and behaviors were observed in a recent RansomHub attack.

User interface of ScRansom

ScRansom, a ransomware developed by CosmicBeetle, employs a complex encryption scheme involving AES and RSA keys. It encrypts files on various drives and can also permanently delete files.

The ransomware is initially launched by the threat actor through manual interaction, but newer versions automate the process. Victims must pay a ransom to obtain a decryption key, which is required to recover their encrypted files.

However, the decryption process is complex and may fail due to various factors, including multiple encryption sessions and potential file destruction.

Encryption scheme utilized by the latest ScRansom samples

It has been deploying a new custom ransomware, ScRansom, after abandoning Scarab. Despite attempts to leverage LockBit’s reputation, ScRansom remains complex and prone to errors. 

According to ESET research, the actor’s deployment of RansomHub payloads on the same machine as ScRansom suggests a potential affiliation with RansomHub. 

The ongoing development of ScRansom poses significant risks to victims, as successful decryption is uncertain and may require extensive manual effort.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Check Point Software to Open First Asia-Pacific R&D Centre in Bengaluru, India

Check Point Software Technologies Ltd. has announced plans to establish its inaugural Asia-Pacific Research...

PoC Exploit Released for Ivanti Endpoint Manager Vulnerabilities

A recent investigation into Ivanti Endpoint Manager (EPM) has uncovered four critical vulnerabilities that...

Ransomware Trends 2025 – What’s new

As of February 2025, ransomware remains a formidable cyber threat, evolving in complexity and...

Hackers Delivering Malware Bundled with Fake Job Interview Challenges

ESET researchers have uncovered a series of malicious activities orchestrated by a North Korea-aligned...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Ransomware Trends 2025 – What’s new

As of February 2025, ransomware remains a formidable cyber threat, evolving in complexity and...

ShadowPad Malware Upgraded to Deliver Ransomware in Targeted Attacks

Security researchers have uncovered a significant evolution in the ShadowPad malware family, which is...

Fedora Linux Kernel Flaw Exposed Sensitive Data to Attackers

A newly discovered vulnerability in the Fedora Linux kernel, identified as CVE-2025-1272, has raised...