CosmicBeetle [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as Spacecolon [2] [4], a cybercriminal group [3], has recently launched a new ransomware strain called ScRansom [1] [5] [6] [9], targeting small and medium-sized businesses (SMBs) in Europe [1] [3] [7], Asia [1] [2] [3] [4] [5] [6] [7] [8] [9], Africa [1] [3] [5] [6] [8] [9], and South America [1] [3] [5] [6] [8] [9].
Description
The threat actor [2] [5] [6] [7] [8] [9], believed to be affiliated with RansomHub [4] [7], a ransomware-as-a-service actor [7], has a history of using Spacecolon to distribute Scarab ransomware globally [6]. CosmicBeetle has also experimented with LockBit and developed a tool called ScHackTool, with an encryption scheme similar to Disk Monitor Gadget [6] [8]. The group’s attack chains involve brute-force attacks and exploits like CVE-2017-0144 [6] [8], CVE-2020-1472 [3] [6] [8] [9], CVE-2021-42278 [3] [6] [8] [9], CVE-2021-42287 [3] [6] [8] [9], CVE-2022-42475 [3] [6] [8] [9], and CVE-2023-27532 [6] [8] [9]. To evade detection [6] [8] [9], CosmicBeetle utilizes tools like Reaper, Darkside [3] [6] [8] [9], and RealBlindingEDR before deploying Delphi-based ScRansom with an “ERASE” mode to make files unrecoverable [9]. Victims of CosmicBeetle have faced challenges in recovering their files even after paying the ransom [4], indicating the group’s lack of experience in ransomware operations [4]. CosmicBeetle has been observed targeting various verticals such as manufacturing, pharmaceuticals [3] [7], legal [3] [7], education [3] [7], healthcare [7], technology [3] [7], hospitality leisure [7], financial services [7], and regional government [3] [7]. The group’s encryption scheme is constantly evolving, making successful decryption uncertain and potentially leading to permanent file loss [7]. CosmicBeetle has been actively deploying ScRansom ransomware to SMBs in Europe and Asia [2], replacing its previous Scarab ransomware [2] [5]. There are connections between CosmicBeetle and RansomHub [2], a new ransomware gang active since March 2024 [2]. ScRansom is not sophisticated [2], but victims should be cautious when paying as some files may be permanently lost [2]. CosmicBeetle’s custom collection of Delphi tools [2] [7], known as Spacecolon [2] [4], includes ScHackTool [2] [4] [7] [9], ScInstaller [2] [7], ScService [2] [7], and ScPatcher [2] [7]. Recommendations include implementing robust security protocols [1], engaging in threat intelligence sharing [1], and conducting regular security assessments to enhance cybersecurity measures [1].
Conclusion
Victims of CosmicBeetle’s ScRansom ransomware face challenges in recovering their files [4], even after paying the ransom [4]. It is crucial for SMBs to implement robust security protocols, engage in threat intelligence sharing [1], and conduct regular security assessments to mitigate the risks posed by CosmicBeetle and similar cybercriminal groups in the future.
References
[1] https://www.krofeksecurity.com/how-cosmicbeetles-custom-scransom-ransomware-collaboration-with-ransomhub-is-taking-the-cybersecurity-world-by-storm/
[2] https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/
[3] https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/cosmicbeetle-despliega-el-ransomware-scransom-personalizado-en-asociacion-con-ransomhub/
[4] https://www.scmagazine.com/news/report-cosmicbeetle-ransomware-gang-may-have-joined-ransomhub
[5] https://zephyrnet.com/cosmicbeetle-deploys-custom-scransom-ransomware-partnering-with-ransomhub/
[6] https://thehackernews.com/2024/09/cosmicbeetle-deploys-custom-scransom.html
[7] https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-cosmicbeetle-group-joins-forces-with-other-ransomware-gangs-targets-businesses-in-europe-and-asia-1/
[8] https://vulners.com/thn/THN:7B50EDFF5C8CBE83C54A2BF5FFD0C0A4
[9] https://patabook.com/technology/2024/09/10/cosmicbeetle-deploys-custom-scransom-ransomware-partnering-with-ransomhub/