The threat actor known as CosmicBeetle has introduced a new custom ransomware strain named ScRansom in attacks aimed at small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, potentially working as an affiliate for RansomHub.
“CosmicBeetle has replaced its previous ransomware, Scarab, with ScRansom, which is continuously being enhanced,” ESET researcher Jakub Souček stated in a recent analysis. “Although not top-notch, the threat actor manages to compromise interesting targets.”
The sectors targeted by ScRansom attacks include manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government.
CosmicBeetle is most notably associated with a malicious toolset called Spacecolon previously used to distribute Scarab ransomware across organizations worldwide.
Also known as NONAME, the actor has experimented with the leaked LockBit builder to impersonate the infamous ransomware gang in ransom notes and leak sites since November 2023.
The attackers’ identity and origin remain unclear, with a previous theory suggesting Turkish origins due to a custom encryption scheme in a tool named ScHackTool. ESET, however, believes this attribution no longer holds validity.
“ScHackTool’s encryption scheme is used in the legitimate Disk Monitor Gadget,” Souček mentioned. “It is likely that this algorithm was adapted [from a Stack Overflow thread] by VOVSOFT [the Turkish software firm behind the tool], and later used by CosmicBeetle for ScHackTool.”
ScRansom intrusions utilize brute-force attacks and known security vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to infiltrate target systems.
The attackers use tools like Reaper, Darkside, and RealBlindingEDR to disable security processes before deploying the Delphi-based ScRansom ransomware, which includes partial encryption to expedite the process and an “ERASE” mode to make files unrecoverable by overwriting them.
The link to RansomHub is evident as the Slovak security company observed the deployment of ScRansom and RansomHub payloads on the same machine within a week.
“Possibly due to the challenges of developing custom ransomware, CosmicBeetle tried to leverage LockBit’s reputation to improve payment chances,” Souček remarked.
Cicada3301 Introduces Updated Version
The disclosure coincides with the appearance of a new version of the Cicada3301 ransomware (also known as Repellent Scorpius) with enhanced capabilities since July 2024.
“Threat actors added a new command-line argument, –no-note,” Palo Alto Networks Unit 42 reported. “When invoked, the encryptor will not write the ransom note to the system.”
Another significant change is the absence of hardcoded credentials in the binary, yet it can still execute PsExec using these credentials if available, a method recently highlighted by Morphisec.
The report also suggests the group may possess data from previous compromise incidents prior to adopting the Cicada3301 brand, hinting at potential past operations under a different ransomware brand.
Additionally, some overlaps were identified with another attack deploying BlackCat ransomware in March 2022.
BURNTCIGAR Transforms into an EDR Wiper
The discoveries follow the evolution of a signed Windows driver used by multiple ransomware groups to disable Endpoint Detection and Response (EDR) solutions and act as a wiper by deleting critical EDR components.
The malware in question, POORTRY, delivered via a loader named STONESTOP, orchestrates a BYOVD attack to bypass Driver Signature Enforcement safeguards. Its capability to forcibly delete files on disk was first detected by Trend Micro in May 2023.
POORTRY, also known as BURNTCIGAR, has been utilized by several ransomware groups like CUBA, BlackCat, Medusa, LockBit, and RansomHub.
“Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated,” Sophos noted. “This loader was obfuscated by a closed-source packer named ASMGuard, available on GitHub.”
POORTRY focuses on disabling EDR products through various techniques, such as modifying kernel notify routines. The EDR killer aims to halt security processes and render EDR agents ineffective by wiping critical files off disk.
The use of an enhanced version of POORTRY by RansomHub is significant, considering the ransomware group’s utilization of another EDR killer tool called EDRKillShifter this year.
“Threat actors consistently experiment with methods to disable EDR products, a trend observed since at least 2022,” Sophos pointed out. “These activities involve various tactics, like exploiting vulnerable drivers or using leaked certificates.”
“The use of different EDR-killer tools, such as EDRKillShifter by groups like RansomHub, reflects ongoing experimentation. Different affiliates may be involved, explaining the use of varied methods, though without specific details, it’s speculative.”
“These actions are part of a continuous process rather than a sudden surge.”
