Ransomware attacks have been on the rise globally, with threat actors constantly evolving and customizing their malware to target specific industries and regions. The latest player in this dangerous game is CosmicBeetle, who has unleashed a new strain of ransomware known as ScRansom. This new malware variant has been deployed in attacks against small- and medium-sized businesses in Europe, Asia, Africa, and South America, with CosmicBeetle possibly operating as an affiliate for RansomHub.
According to ESET researcher Jakub Souček, CosmicBeetle has upgraded from their previous ransomware, Scarab, to the more sophisticated ScRansom, enabling them to compromise a range of high-profile targets across industries such as manufacturing, pharmaceuticals, legal, education, healthcare, and more.
The modus operandi of CosmicBeetle also includes utilizing tools like Reaper, Darkside, and RealBlindingEDR to bypass security measures and deploy the Delphi-based ScRansom ransomware. This ransomware variant offers speedier partial encryption and an “ERASE” mode that overwrites files, rendering them irrecoverable.
While the origins of CosmicBeetle remain unclear, previous hypotheses pegged them as having Turkish roots due to the encryption scheme used in their ScHackTool. However, recent findings suggest a more complex attribution that links CosmicBeetle to a broader cybercriminal network.
On a separate front, Cicada3301 ransomware operators have unleashed an updated version of their encryptor, which now includes a new command-line argument for omitting ransom notes from infected systems. This move marks a shift in tactics for the group, indicating a continuous evolution in their malware strategies.
Cicada3301 Unleashes Updated Version
The Cicada3301 ransomware group has been observed using an updated version of their malware since July 2024, making crucial adjustments to enhance their attack capabilities. Notable changes in the new version include the ability to skip writing ransom notes to the system and a more stealthy approach to evading detection.
Furthermore, the group’s association with older compromise incidents raises questions about their previous activities under different aliases and their potential ties to other ransomware groups. The evolving tactics of Cicada3301 underscore the dynamic nature of cyber threats and the need for constant vigilance in cybersecurity practices.
BURNTCIGAR Becomes an EDR Wiper
Another concerning development on the ransomware front involves the transformation of BURNTCIGAR, a kernel-mode signed Windows driver used by multiple ransomware gangs, into an Endpoint Detection and Response (EDR) wiper. Designed to disable EDR software by wiping critical components, BURNTCIGAR poses a significant threat to organizations relying on these security solutions.
The evolving landscape of ransomware attacks underscores the importance of robust cybersecurity measures and proactive defense strategies to mitigate the risk of falling victim to these malicious actors. Stay informed, stay vigilant, and safeguard your systems against the ever-changing threat of ransomware.
Interested in more cybersecurity insights? Follow us on Twitter and LinkedIn for exclusive content and updates.