A threat actor known as CosmicBeetle has unveiled a new custom ransomware strain called ScRansom in attacks targeting small and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, and may also be operating as an affiliate of RansomHub.
“CosmicBeetle has replaced its previously deployed ransomware, Scarab, with ScRansom, which is being continuously improved,” ESET researcher Jakub Souček wrote in a new analysis published today. “While not at the highest level, this threat actor is able to compromise interesting targets.”
ScRansom attacks have targeted the manufacturing, pharmaceutical, legal, education, healthcare, technology, hospitality, leisure, financial services and local government sectors.
CosmicBeetle is best known for its malicious toolset called Spacecolon, which has previously been observed being used to deliver Scarab ransomware to victim organizations around the world.
The attackers, also known as NONAME, have a history of trying leaked LockBit builders to pose as the notorious ransomware gang in ransom messages and leak sites as far back as November 2023.
It is not clear at this time who is behind the attacks or where they came from, although previous hypotheses suggested they may have originated in Turkey due to the use of a custom encryption method in another tool called ScHackTool, but ESET no longer believes this to be plausible.
“ScHackTool’s encryption method is used by the legitimate Disk Monitor Gadget,” Souček points out. “The algorithm was likely adopted (from a Stack Overflow thread) by VOVSOFT (the Turkish software company behind the tool), and then CosmicBeetle stumbled upon it and used it for ScHackTool a few years later.”
Attack chains have been observed using brute force attacks and exploiting known security flaws (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, CVE-2023-27532) to gain entry into targeted environments.
Additionally, the infiltration uses various tools such as Reaper, Darkside and RealBlindingEDR to terminate security-related processes to avoid detection before deploying the Delphi-based ScRansom ransomware, which supports partial encryption to speed up the process and an “ERASE” mode that overwrites files with a constant value to make them unrecoverable.
The connection to RansomHub comes from the fact that a Slovakian cybersecurity firm discovered ScRansom and RansomHub payloads deployed on the same machine within a week.
“Probably due to the obstacles of creating custom ransomware from scratch, CosmicBeetle tried to exploit LockBit’s reputation, possibly to hide the underlying ransomware issues and increase the likelihood that victims would pay up,” Souček said.
Cicada3301 releases an updated version
The revelation comes after threat actors associated with Cicada3301 ransomware (aka Repellent Scorpius) were observed using an updated version of the encryption tool since July 2024.
“The threat authors added a new command line argument, –no-note,” Palo Alto Networks Unit 42 said in a report shared with The Hacker News. “When invoked, this argument tells the encryptor not to write a ransom note to the system.”
Another notable change is the absence of hardcoded usernames or passwords within the binary, although it retains the ability to run PsExec with these credentials if they are present, a technique recently highlighted by Morphisec.
Interestingly, the cybersecurity vendor said it had observed indications that the group possesses data obtained from older breaches that predate the group’s operation under the Cicada3301 brand.
This raises the possibility that the threat actor was operating under a different ransomware brand or purchased data from other ransomware groups, although Unit 42 noted some overlaps were observed with another attack carried out by an affiliate that deployed BlackCat ransomware in March 2022.
BURNTCIGAR becomes EDR wiper
This discovery also follows the evolution of kernel-mode signed Windows drivers used by several ransomware gangs to disable endpoint detection and response (EDR) software, which can act as wipers that remove critical components associated with these solutions rather than terminating them.
The malware in question is POORTRY, delivered by a loader called STONESTOP, orchestrating bring-your-own-driver (BYOVD) attacks and effectively circumventing driver signature enforcement protections. The ability to “force delete” files on disk was first spotted by Trend Micro in May 2023.
POORTRY has already been detected in 2021 and is also known as BURNTCIGAR and has been used by several ransomware gangs over the years, including CUBA, BlackCat, Medusa, LockBit, and RansomHub.
“Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated,” Sophos said in a recent report. “The loader is obfuscated by a closed-source packer called ASMGuard, which is available on GitHub.”
POORTRY “focuses on disabling EDR products through a series of different techniques, including removing or modifying kernel notification routines. EDR Killer aims to disable EDR agents by terminating security-related processes and wiping critical files from disk.”
The fraudulent drivers take advantage of what the company describes as a “virtually unlimited supply of stolen or improperly used code signing certificates” to circumvent Microsoft’s driver signature validation protections.
RansomHub’s use of an improved version of POORTRY is notable given that ransomware teams have also been seen using another EDR killer tool this year called EDRKillShifter.
But that’s not all: the ransomware group was also spotted using TDSSKiller, a legitimate Kaspersky tool, to disable EDR services on targeted systems, indicating that threat actors are incorporating multiple programs with similar functionality into their attacks.
“It is important to recognize that threat actors are continually experimenting with different methods to defeat EDR products, a trend that has been observed since at least 2022,” Sophos told Hacker News. “This experimentation can include a range of tactics, such as exploiting vulnerable drivers or using certificates that are unintentionally leaked or obtained through illicit means.”
“While this may appear to be a significant increase in activity, it is more accurate to say that this is not a sudden increase but part of an ongoing process.”
“The use of a variety of EDR killer tools, such as EDRKillShifter, by groups like RansomHub likely reflects this ongoing experimentation. It’s also possible that different affiliated organizations are involved, which could explain why different techniques are being used, but without concrete information we don’t want to speculate too much on that front.”
