CosmicBeetle Introduces ScRansom Ransomware Targeting SMBs Globally
In a significant escalation in the realm of cyber threats, the group known as CosmicBeetle has launched a new ransomware variant called ScRansom, focusing on attacks against small- and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. This malicious activity follows a reported shift from the group’s previous ransomware implementation, Scarab, signaling an adaptation to enhance its tactics and effectiveness. Additionally, CosmicBeetle may be functioning as an affiliate for RansomHub, a known entity in the ransomware landscape.
ESET researcher Jakub Souček has detailed in a recent analysis that while ScRansom does not reach the upper echelons of sophistication, it successfully targets significant sectors that include manufacturing, pharmaceuticals, the legal sphere, education, healthcare, technology, hospitality, leisure, financial services, and regional government. These sectors often hold sensitive data, which makes them appealing targets for ransomware operators seeking to maximize their impact.
CosmicBeetle and its arsenal have been connected previously to a toolset known as Spacecolon, which has facilitated the spread of Scarab globally. It is noteworthy that this adversary, also referred to as NONAME, has a history of mingling with known ransomware brands, even leveraging a compromised version of the LockBit builder in an attempt to mislead victims and enhance the perceived legitimacy of their operations.
While the identity and geographical location of CosmicBeetle remain ambiguous, some analysts previously speculated a potential Turkish connection based on encryption techniques associated with another tool, ScHackTool. However, ESET has revised its attribution stance, suggesting that existing assumptions may no longer be valid. Souček highlighted that the encryption method identified in ScHackTool was lifted from the legitimate Disk Monitor Gadget software, indicating that CosmicBeetle may have repurposed existing code rather than innovating entirely new malware.
The attacks deploy a variety of tactics to penetrate target environments, leveraging brute-force techniques and exploiting known vulnerabilities such as those cataloged in the National Vulnerability Database. The group employs tools like Reaper, Darkside, and RealBlindingEDR, which disable security features to facilitate the deployment of their ransomware. ScRansom itself utilizes a Delphi framework, designed for expedited encryption processes and including an "ERASE" mode that renders files irretrievable by overwriting them.
Significantly, researchers have noted that ScRansom has been detected on the same systems as RansomHub payloads, illustrating a concerning trend of collaborative threats that complicate the cybersecurity landscape. This confluence of attacks may indicate that CosmicBeetle is attempting to leverage the notoriety of more established ransomware groups to mask deficiencies in its own malware and increase the likelihood of victim compliance in ransom payments.
In another area of focus, the Cicada3301 ransomware group has been reported to have released an updated variant of their malware, known as Repellent Scorpius. This new version features adjustments that enhance operational stealth, specifically the introduction of a command-line argument that omits the creation of a ransom note—a traditional hallmark of ransomware attacks. Such adaptations reflect an ongoing effort among cybercriminals to refine their methods and evade detection.
Furthermore, there are emerging insights into the evolution of the POORTRY malware, also referred to as BURNTCIGAR, which is now being utilized more ruthlessly as an EDR wiper. This malware has shown capabilities beyond traditional ransomware functions, allowing adversaries to eliminate key components of security software. Its ability to disable Endpoint Detection and Response systems demonstrates a broader trend among threat actors to undermine preventative measures and enhance the efficacy of their attacks.
The ongoing incidents involving CosmicBeetle and other ransomware groups represent a complex and dynamic cybersecurity threat landscape, characterized by a blend of established methodologies and innovative tactics. As these adversaries continue to experiment with various strategies to bypass security protocols and inflict damage, vigilance remains crucial for organizations seeking to protect sensitive data and mitigate the potential impacts of such cyber threats.
Source Link : https://thehackernews.com/2024/09/cosmicbeetle-deploys-custom-scransom.html
