fbpx
Techitup Middle East
B2B TechnologyCybersecurity

CosmicBeetle Group Targets Businesses in Europe and Asia

ESET researchers have mapped the recent activities of the CosmicBeetle threat group, documenting its new ScRansom ransomware being deployed and discovering connections to other well-established ransomware gangs. CosmicBeetle has been spreading ransomware to small and medium businesses (SMBs), mainly in Europe and Asia.

ESET Research has observed the threat actor using the leaked LockBit builder and trying to leverage LockBit’s ransomware reputation. Besides LockBit, ESET believes that CosmicBeetle is probably a new affiliate of ransomware-as-a-service actor RansomHub, a new ransomware gang active since March 2024 with rapidly increasing activity.

Advertisement

CosmicBeetle often uses brute-force methods to breach its targets. Besides that, it misuses various known vulnerabilities. Small and medium-sized businesses from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software, or lack robust patch management processes in place. ESET Research has observed attacks on SMBs in the following verticals: manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality leisure, financial services, and regional government.

Besides encrypting, ScRansom can also kill various processes and services on the affected machine. ScRansom is not a very sophisticated piece of ransomware, though CosmicBeetle has been able to compromise interesting targets and cause great harm to them. This is mostly because CosmicBeetle is an immature actor in the ransomware world, and problems plague the deployment of ScRansom. Victims affected by ScRansom, who decide to pay, should be cautious.

ESET Research was able to obtain a decryptor implemented by CosmicBeetle for its recent encryption scheme. ScRansom is undergoing constant development, which is never a good sign for ransomware. The overcomplexity of the encryption (and decryption) process is prone to errors, making restoration of all files doubtful. Successful decryption relies on the decryptor working properly and on CosmicBeetle providing all the necessary keys, and even in that case, some files may be destroyed permanently by the threat actor. Even in the best-case scenario, decryption is long and complicated.

CosmicBeetle, active since at least 2020, is the name ESET researchers assigned to a threat actor discovered in 2023. This threat actor is most known for the usage of its custom collection of Delphi tools, commonly called Spacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher.

For more technical information about the latest activity of CosmicBeetle, check out the blogpost.

Related posts

Kingston: Elevate Business Performance with Data Center SSDs

Editor

Trellix Releases ‘Mind of the CISO: Behind the Breach’ Report

Editor

ServiceNow, Boomi to Elevate Customer Experiences with AI

Editor

Leave a Comment