ScRansom Ransomware
The threat actor known as CosmicBeetle has introduced a new custom ransomware variant called ScRansom, specifically targeting small- and medium-sized businesses (SMBs) across Europe, Asia, Africa and South America. Additionally, CosmicBeetle is suspected of acting as an affiliate for the RansomHub group.
Previously using the Scarab Ransomware, CosmicBeetle has now transitioned to ScRansom, which is under ongoing development. Although not at the forefront of ransomware sophistication, the group has still managed to compromise noteworthy targets.
Table of Contents
CosminBeetle Targets a Diverse Set of Sectors
ScRansom attacks have targeted a wide range of sectors, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial service and regional governments.
CosmicBeetle, also known as NONAME, is most recognized for its threatening toolkit, Spacecolon, which was previously used to deliver the Scarab Ransomware to victims worldwide. The group has also been known to experiment with the leaked LockBit builder, attempting to impersonate the notorious LockBit Ransomware group in ransom notes and on leak sites as early as November 2023.
The identity and origin of the attackers remain unclear. An earlier theory, now considered unlikely, suggested they might be of Turkish origin due to a custom encryption method found in another tool called ScHackTool.
Multiple Vulnerabilities Exploited by Cybercriminals
Attack chains have been observed exploiting brute-force attacks and several known security vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to penetrate target environments.
The intrusions also involve utilizing various tools such as Reaper, Darkside, and RealBlindingEDR to terminate security processes and avoid detection before deploying the Delphi-based ScRansom Ransomware. ScRansom features partial encryption to accelerate the encryption process and includes an 'ERASE' mode that overwrites files with a constant value, making them unrecoverable.
Possible Connection to RansomHub
The link to RansomHub arises from observations by infosec researchers who found ScRansom and RansomHub payloads deployed on the same machine within a week. Facing the challenges of developing custom ransomware from scratch, CosmicBeetle appears to have attempted to leverage LockBit's reputation. This strategy may be intended to obscure flaws in their ransomware and improve the likelihood that victims will pay the ransom.
Ransomware Operators Update Their Hurtful Tools
Since July 2024, threat actors associated with the Cicada3301 Ransomware (also known as Repellent Scorpius) have been observed using an updated version of their encryptor. This new version includes a command-line argument, --no-note, which prevents the encryptor from writing a ransom note to the system.
Additionally, the updated encryptor no longer contains hard-coded usernames or passwords within the binary. However, it can still execute PsExec using existing credentials, a technique recently noted by Morphisec. Intriguingly, infosec researchers have detected evidence suggesting that the group may possess data from older compromises that occurred before they operated under the Cicada3301 name.
This raises the chances that the threat actor might have previously operated under a different ransomware brand or acquired data from other ransomware groups.
