The Rise of CosmicBeetle: Uncovering the ScRansom Ransomware

ESET researchers have recently delved into the activities of the CosmicBeetle threat actor, shedding light on its latest endeavors involving the ScRansom ransomware. This new strain of ransomware has been actively targeting Small and Medium Businesses (SMBs) across the globe, showcasing the threat actor’s ability to compromise interesting targets.

CosmicBeetle made a significant shift from its previous ransomware, Scarab, to the evolving ScRansom, which continues to undergo refinements. Interestingly, the threat actor has been seen utilizing the leaked LockBit builder, trying to capitalize on LockBit’s notoriety by mimicking the ransomware gang in ransom notes and on leak sites.

Moreover, with a medium level of confidence, researchers believe there is a potential connection between CosmicBeetle and the relatively new RansomHub gang, which has been gaining traction since March 2024, showcasing a considerable uptick in activity.

Insights into CosmicBeetle’s Evolution

Throughout the past year, CosmicBeetle has been actively deploying its custom ransomware, ScRansom, steadily improving its capabilities along the way. A detailed analysis of ScRansom reveals that some encrypted files may be irrecoverable, emphasizing the importance of caution for victims considering payments.

The blogpost also explores CosmicBeetle’s endeavor to utilize the LockBit brand to enhance its reputation and credibility in the eyes of the victims. By imitating LockBit’s leak site and ransom note styles, CosmicBeetle aims to increase its chances of receiving ransom payments.

Uncovering ScRansom’s Encryption Methods

By delving into the technical aspects of ScRansom, researchers uncovered a complex encryption scheme employed by the ransomware. The evolution of the encryption logic and features of ScRansom has been a point of focus for CosmicBeetle, indicating ongoing development efforts.

Decryption of ScRansom-encrypted files entails a cumbersome process, requiring victims to gather multiple Decryption IDs and ProtectionKeys. However, even with the necessary keys provided by CosmicBeetle, some files may have been permanently lost due to the ERASE encryption mode employed by the threat actor.

CosmicBeetle’s Affiliation with RansomHub

Recent observations point towards a potential relationship between CosmicBeetle and the RansomHub gang. Unusual deployment of RansomHub payloads in conjunction with CosmicBeetle’s activities further solidifies this potential connection. The medium level of confidence in this hypothesis stems from the lack of public leaks of RansomHub code.

Overall, the evolving tactics and associations of CosmicBeetle shed light on the ever-changing landscape of ransomware threats, emphasizing the need for robust cybersecurity measures to combat such malicious actors.

For more detailed insights and inquiries about this research, feel free to reach out to threatintel@eset.com

IoCs:

• Refer to the attached list of IoCs for further information on files, network data, ransom note fragments, email addresses, Tox IDs, Tor links, and MITRE ATT&CK techniques.