CosmicBeetle, a prolific threat actor, has recently launched a new custom ransomware strain called ScRansom. This malware is being used to target small and medium-sized businesses (SMBs) across various industries, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government.
ScRansom is a significant upgrade from CosmicBeetle’s previous ransomware, Scarab. It’s designed to be more efficient and effective, with continuous improvements being made to its capabilities. While not considered top-tier, ScRansom is still a serious threat, capable of causing substantial damage to affected organizations.
CosmicBeetle is known for its malicious toolset, Spacecolon, which has been used to deliver both Scarab and ScRansom to victims worldwide. The threat actor has also been associated with the NONAME moniker and has a history of experimenting with the leaked LockBit builder to impersonate the notorious LockBit ransomware gang.
While the exact origin of CosmicBeetle remains unclear, previous analysis suggested a potential Turkish connection due to the use of a custom encryption scheme in another tool named ScHackTool. However, recent research by ESET has cast doubt on this attribution. ESET found that the encryption scheme used in ScHackTool is actually derived from a legitimate tool, the Disk Monitor Gadget, which was developed by the Turkish software firm VOVSOFT.
CosmicBeetle’s attack chains often involve exploiting known security vulnerabilities, such as those listed in CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532. Once they gain access to a target network, CosmicBeetle uses various tools, including Reaper, Darkside, and RealBlindingEDR, to disable security processes and avoid detection.
ScRansom itself is a Delphi-based ransomware that employs partial encryption to speed up the process and an “ERASE” mode to permanently delete files. This makes it difficult for victims to recover their data without paying a ransom.
The emergence of ScRansom highlights the ongoing threat posed by ransomware attacks. As threat actors continue to develop new and more sophisticated malware, it’s essential for organizations to stay informed about the latest threats and take proactive steps to protect their systems. Sources and related content.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.