CosmicBeetle exploits years-old vulnerabilities to attack small and medium-sized businesses
Researchers of ESET, a global European leader in the cybersecurity market, have mapped the recent activities of the CosmicBeetle threat group, documenting the use of the new ScRansom ransomware and revealing links to other established ransomware groups. CosmicBeetle spread ransomware against small and medium-sized businesses (SMEs), mainly in Europe and Asia.
ESET Research observed that the threat actor used the publicly released LockBit builder and attempted to exploit the ransomware's reputation. In addition to LockBit, ESET believes CosmicBeetle is likely a new affiliate of ransomware-as-a-service actor RansomHub, a new ransomware group active since March 2024 with rapidly growing activity.
“Possibly due to the difficulties involved in writing custom ransomware from scratch, CosmicBeetle sought to exploit LockBit's reputation, perhaps to mask problems in the underlying ransomware and thus increase the likelihood that victims will be willing to pay,” says Jakub Souček, the ESET researcher who analyzed CosmicBeetle's latest activities. "Additionally, we recently observed the deployment of ScRansom and RansomHub payloads on the same machine a week apart. The execution of RansomHub was unusual compared to the typical cases we have observed in ESET telemetry, but very similar to CosmicBeetle's modus operandi. Since there are no public data leaks related to RansomHub, we believe with some confidence that CosmicBeetle may be a recent affiliate," adds Souček.
CosmicBeetle often uses brute-force techniques to hack its targets. Furthermore, it exploits various known vulnerabilities. Small and medium-sized businesses across industries around the world are the most common victims of this threat actor, as this is the segment most likely to use vulnerable software or lack robust patch management processes.
ESET Research has observed attacks against SMEs in the following industries: manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services and regional governments.
Besides encrypting data, ScRansom can also terminate various processes and services on the infected machine. ScRansom is not a very sophisticated ransomware, but CosmicBeetle was still able to compromise interesting targets and cause significant damage. This is mainly due to the fact that CosmicBeetle is still an immature player in the ransomware world, and the ScRansom distribution is affected by several issues. Victims affected by ScRansom, who decide to pay, should act with caution.
ESET Research managed to obtain a decryptor implemented by CosmicBeetle for its recent encryption scheme. ScRansom is in continuous development, which complicates things further. Encryption and decryption are very complex and error-prone processes, making it difficult to guarantee complete file recovery. Successful decryption depends on the decryptor working properly and on CosmicBeetle providing all necessary keys, and even then, some files may be permanently destroyed. Even in the best case scenario, decryption is time-consuming and complicated.
CosmicBeetle, active since at least 2020, is the name given by ESET Research to a cybercriminal group discovered in 2023. This group is best known for using a set of custom tools developed in Delphi, called Spacecolon which includes ScHackTool, ScInstaller, ScService and ScPatcher. For more technical information on CosmicBeetle's latest activity, see the blog “CosmicBeetle steps up: Probation period at RansomHub” on WeLiveSecurity.com. Follow ESET Research on Twitter (now known as X) For the latest news from ESET Research.
