A threat actor known as CosmicBeetle has debuted a new special ransomware called ScRansom in attacks targeting small and medium-sized businesses (SMBs) in Europe, Asia, Africa and South America, and is believed to be operating as an affiliate for RansomHub.
“CosmicBeetle has replaced its previously deployed Scarab ransomware with ScRansom, which is constantly being improved,” ESET researcher Jakub Soucek said in a new analysis published today. “Without being first-rate, a threat actor can compromise targets of interest.”
The targets of ScRansom attacks are the manufacturing, pharmaceutical, legal, education, healthcare, technology, hospitality, leisure, financial services and regional government sectors.
CosmicBeetle is best known for a malicious toolkit called Space which was previously identified as being used to deliver Scarab ransomware to victim organizations around the world.
Also known as NONAME, the adversary has experience experimenting with LockBit constructor leak in an attempt to impersonate a notorious ransomware gang in its ransom notes and leaked website back in November 2023.
It is currently unclear who is behind the attack or where they are from, although an earlier hypothesis suggested that they may be of Turkish origin due to the presence of a custom encryption scheme used in another tool called ScHackTool. ESET, however, suspects that the attribution no longer stands up to criticism.
“ScHackTool’s encryption scheme is used in legitimate Disk monitor gadget“, – noted Souchek. “It is quite likely that this algorithm was adapted (from A Thread stack overflow) from VOVSOFT (the Turkish software firm behind the tool), and years later CosmicBeetle came across it and used it for ScHackTool.”
Attack chains using brute force attacks and known security flaws have been observed (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475and CVE-2023-27532) to penetrate the target environment.
Penetrations also involve the use of various tools such as Reaper, Darksideand RealBlindingEDR to stop security-related processes to bypass detection before deployment Delphi-based ScRansom ransomware comes with support for partial encryption to speed up the process and an “ERASE” mode to make files unrecoverable by overwriting them with a permanent value.
The connection to RansomHub stems from a Slovakian cybersecurity company noticing the deployment of ScRansom and RansomHub payloads on the same machine within a week.
“Probably because of the hurdles of writing custom ransomware from scratch, CosmicBeetle tried to discredit LockBit, possibly to mask problems in the underlying ransomware and in turn make victims more likely to pay up.” — Soucek said.
Cicada3301 releases an updated version
Disclosure occurs as a threat to entities associated with Cicada3301 ransomware (aka Repellent Scorpius) have been observed using an updated version of the cipher since July 2024.
“Threat authors added new –no-note command line argument,” Palo Alto Networks Unit 42 said in a report shared with The Hacker News. “When this argument is called, the encryptor will not write a ransom note to the system.”
Another important modification is the absence of hard-coded usernames and passwords in the binary, although it still retains the ability to execute PsExec using those credentials if they exist, a method recently highlighted by Morphisec.
In an interesting twist, a cybersecurity vendor said it saw signs that the group had data obtained from older hacking incidents that predated the group’s activities under the Cicada3301 brand.
This raised the possibility that the threat actor was operating under a different brand of ransomware or had acquired data from other ransomware groups. At the same time, Unit 42 noted that it found some coincidences with another attack carried out by the branch that deployed the BlackCat ransomware in March 2022.
BURNTCIGAR becomes an EDR wiper
The findings are also consistent with the evolution of a kernel-mode signed Windows driver used by several ransomware gangs to disable Endpoint Detection and Response (EDR) software, allowing it to act as a cleaner to remove critical components associated with these solutions, as opposed to stopping them.
The malware in question POVERTYwhich is delivered using a bootloader called STONESTOP to organize Bring Your Own Vulnerable Driver (BEOD) attack, effectively bypassing the driver’s label control safeguards. Its ability to “force delete” files on disk was first noted by Trend Micro in May 2023.
POORTRY, discovered back in 2021, is also called BURNTCIGAR and was used several groups of ransomwareincluding CUBA, BlackCat, Medusa, LockBit and RansomHub over the years.
“Both the Stonestop executable and the Poortry driver are highly packaged and obfuscated,” Sophos said in a recent report. “This loader was obfuscated by a closed-source packager called ASMGuard available on GitHub.”
POORTRY “focuses on disabling EDR products through a series of different methods, such as removing or modifying kernel notification routines. The EDR killer aims to kill security-related processes and renders the EDR agent useless by deleting important files from disk.”
RansomHub’s use of an improved version of POORTRY is worth noting in light of the fact that the ransomware team also used another EDR killer tool called EDRKillShifter this year.
“It’s important to recognize that threat actors are consistently experimenting with different methods of disabling EDR products, a trend we’ve been seeing since at least 2022,” Sophos told The Hacker News. “This experiment may involve various tactics, such as using vulnerable drivers or using certificates that have been inadvertently leaked or obtained illegally.”
“While it may appear that this activity has increased significantly, it is more accurate to say that this is part of an ongoing process, rather than a sudden uptick.”
“The use of various EDR-killer tools, such as EDRKillShifter, by groups such as RansomHub likely reflects this ongoing experimentation. It’s also possible that different branches are involved, which could explain the use of different methods, although without concrete information we don’t want to speculate too much on that.”
