CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

The threat actor known as CosmicBeetle has unveiled a new unique ransomware strain named ScRansom in assaults targeting small- and medium-sized companies (SMBs) in Europe, Asia, Africa, and South America, while also presumably functioning as an affiliate for RansomHub.

"CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub Souček stated in a new investigation released today. "While not being top notch, the threat actor is able to compromise interesting targets."

Targets of ScRansom attacks cover manufacturing, pharmaceuticals, legal, education, healthcare, technology, hotel, leisure, financial services, and regional government sectors.

CosmicBeetle is well known for a malicious toolkit dubbed Spacecolon that was previously detected as utilized for transmitting the Scarab ransomware across target businesses internationally.

Also known as NONAME, the adversary has a track record of testing with the disclosed LockBit constructor in an effort to pass off as the famed ransomware gang in its ransom notes and leak site as long back as November 2023.

It's presently not known who is behind the attack or where they are from, however an early speculation claimed that they may be of Turkish origin owing to the existence of a bespoke encryption method employed in another malware entitled ScHackTool. ESET, however, thinks the attribution to no longer hold water.

"ScHackTool's encryption scheme is used in the legitimate Disk Monitor Gadget," Souček pointed out. "It is likely that this algorithm was adapted [from a Stack Overflow thread] by VOVSOFT [the Turkish software firm behind the tool] and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool."

Attack chains have been detected taking use of brute-force attacks and known security holes (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to enter target environments.

The intrusions further involve the use of various tools like Reaper, Darkside, and RealBlindingEDR to terminate security-related processes to sidestep detection prior to deploying the Delphi-based ScRansom ransomware, which comes with support for partial encryption to speed up the process and a "ERASE" mode to render the files unrecoverable by overwriting them with a constant value.

The link to RansomHub derives from the fact that the Slovak cybersecurity firm observed the deployment of ScRansom and RansomHub payloads on the same system within a week's time.

"Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit's reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims will pay," Souček added.

Cicada3301 Unleashes Updated Version#

The information comes as threat actors related to the Cicada3301 ransomware (aka Repellent Scorpius) have been spotted employing an upgraded version of the encryptor since July 2024.

"Threat authors added a new command-line argument, --no-note," Palo Alto Networks Unit 42 claimed in a report published with The Hacker News. "When this argument is invoked, the encryptor will not write the ransom note to the system."

Another major improvement is the lack of hard-coded users or passwords in the program, but it still maintains the potential to run PsExec using these credentials if they exist, a strategy noted recently by Morphisec.

In an unusual twist, the cybersecurity company claimed it saw indicators suggesting the organization possesses data collected from prior hack instances that predate the group's existence under the Cicada3301 moniker.

This has raised the idea that the threat actor may have operated under a different ransomware brand, or acquired the data from other ransomware gangs. That being said, Unit 42 reported it discovered some commonalities with another assault carried out by an associate that released BlackCat ransomware in March 2022.

BURNTCIGAR Becomes an EDR Wiper#

The discoveries also reflect an evolution of a kernel-mode signed Windows driver used by numerous ransomware gangs to switch off Endpoint Detection and Response (EDR) software that enables it to operate as a wiper for erasing crucial components connected with such solutions, as opposed to terminating them.

The malware in issue is POORTRY, which is transmitted by way of a loader dubbed STONESTOP to conduct a Bring Your Own Vulnerable Driver (BYOVD) assault, thereby avoiding Driver Signature Enforcement measures. Its capacity to "force delete" items on disk was initially detected by Trend Micro in May 2023.

POORTRY, identified as long back as in 2021, is sometimes known to as BURNTCIGAR, and has been utilized by many ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub throughout the years.

"Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated," Sophos claimed in a recent investigation. "This loader was obfuscated by a closed-source packer named ASMGuard, available on GitHub."

POORTRY is "focused on disabling EDR products via a succession of various approaches, such as removal or modification of kernel notify procedures. The EDR killer aims at halting security-related operations and makes the EDR agent unusable by erasing essential data off disk."

The rogue drivers take use of what the business termed as a "virtually limitless supply of stolen or improperly used code signing certificates" in order to avoid Microsoft's Driver Signature Verification measures.

The usage of an updated version of POORTRY by RansomHub bears observation in light of the fact that the ransomware group has also been discovered deploying another EDR-killer program termed EDRKillShifter this year.

That's not everything. The ransomware organization has also been spotted exploiting a genuine utility from Kaspersky called TDSSKiller to deactivate EDR services on target computers, showing that the threat actors are combining many apps with similar capabilities in their operations.

"It's important to recognize that threat actors have been consistently experimenting with different methods to disable EDR products — a trend we've been observing since at least 2022," Sophos told The Hacker News. "This experimentation can involve various tactics, such as exploiting vulnerable drivers or using certificates that have been unintentionally leaked or obtained through illegal means."

"While it might seem like there's a significant increase in these activities, it's more accurate to say that this is part of an ongoing process rather than a sudden rise."

"The usage of multiple EDR-killer software, such as EDRKillShifter by entities like RansomHub, presumably reflects this continuing experimentation. It's also conceivable that multiple affiliates are participating, which may explain the employment of varying tactics, but without precise evidence, we wouldn't want to speculate too much on that subject."