Everyone’s gotta get started somewhere—and the same goes for making one’s bones as a small-time ransomware gang.
New research from European cybersecurity firm ESET sheds light on CosmicBeetle, a threat actor targeting small and midsize businesses (SMBs) with custom ransomware.
CosmicBeetle has been active since 2020, according to ESET researchers, but since 2023 has targeted European and Asian SMBs with their ScRansom malware. The report described CosmicBeetle as “an immature actor in the ransomware world,” and ScRa⁹nsom as “not very sophisticated,” but warned it compensates for flaws in its approach by impersonating more intimidating gangs like LockBit.
ESET Head of Public Relations Jessica Beffa told IT Brew via email that CosmicBeetle used to deploy an easily detected, static ransomware variant named Scarab. Now it’s in “complete control of ScRansom and its source code,” Beffa wrote.
“With ScRansom, we see CosmicBeetle continually modify even the core of the ransomware, including changing [the] encryption scheme,” Beffa added. “It does not make ScRansom more dangerous directly, though it definitely gives CosmicBeetle more options.”
According to the report, CosmicBeetle has generally left its own name out of ransom notes, sometimes instead stealing LockBit branding—capitalizing on the latter gang’s notoriety, but perhaps also to distract from ScRansom’s decryption being “quite (unnecessarily) complex” and prone to failure.
If a victim hit with ScRansom wants to recover their files, they not only need to recover “all Decryption IDs from all the machines where ScRansom was executed,” but pay CosmicBeetle’s ransom for a “ProtectionKey” matching each one. Then they need to manually run the decryptor on every affected machine using those keys.
ESET researchers noted this process is occasionally made even more headache-inducing when ScRansom runs multiple times on the same machine. (One possible cause: Depending on the version, ScRansom’s janky execution process requires either direct access to or simulation of the victim’s screen and mouse.) When this occurs, different disks are encrypted across sequential runs, creating even more decryption IDs.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
One victim the researchers spoke recovered 31 decryption IDs and received matching keys from CosmicBeetle. They still couldn’t recover their files.
“Assuming the encrypted files were not tampered with, this may be the result of missing some decryption IDs, CosmicBeetle not providing all of the required ProtectionKeys, or ScRansom destroying some files permanently by using the ERASE encryption mode,” the report stated, calling the approach “typical” of less sophisticated cybercriminals.
CosmicBeetle does appear to have leveled up in the cybercriminal world, as ESET researchers discovered evidence it had used an endpoint detection and response killer developed by a more established group, RansomHub. That tool hasn’t been leaked, as far as anyone knows, leading ESET to conclude with “medium confidence” that CosmicBeetle is now one of RansomHub’s affiliates.
“Seasoned, well-established gangs tend to keep their code base stable, knowing well that unsuccessful decryption or permanent damage to victims’ infrastructure will eventually be their doom, as no victim will be willing to pay,” according to Beffa. “They also typically operate as RaaS [ransomware-as-a-service] and rely on Initial Access Brokers to compromise high-profile targets.”
“Immature gangs, typically not operating as RaaS, usually choose smaller targets,” Beffa wrote, noting attacks from such gangs can often be “devastating” due to the lack of “support” and flaws like bugs or over-complicated encryption processes. While threat actors actively develop core payloads, she added, a common side effect is “a ton of issues with both encryption and decryption.”
Beffa advises ransomware victims to watch out for signs a gang is impersonating another, like dissimilar ransom notes, different file extensions, or instructions to contact the attackers via chat software like Tox rather than the method on the supposed gang’s official site.
“Is this the seasoned gang that has bulletproof encryption and it is known their decryptors work?” Beffa asked. “Or is it one that has a known flaw that incident response may leverage? Or is it some cheap imposter nobody knows about?”