ESET has detected a new ransomware, ScRansom, distributed by the CosmicBeetle cybercriminal group to small and medium-sized enterprises primarily in Europe and Asia. In addition, CosmicBeetle is likely part of the new RansomHub ransomware group, active since March 2024, which offers ransomware as a service.
“Probably due to the obstacles in creating a ransomware from scratch, CosmicBeetle tried to take advantage of the popularity of another ransomware, LockBit, possibly to mask problems in the underlying ransomware, and thus increase the likelihood that victims will pay,” said Jakub Soucek, ESET researcher.
In addition, the experts recorded the deployment of ScRansom and RansomHub components on the same device a week apart. This execution of RansomHub was very unusual compared to the typical cases detected by ESET telemetry, but similar to the CosmicBeetle’s modus operandi. Since there are no public leaks about RansomHub, this suggests that CosmicBeetle is a new part of them.
CosmicBeetle often uses the password guessing method to attack its targets. Additionally, cybercriminals use various known vulnerabilities. Small and medium-sized enterprises from various industries around the world are the most frequent victims of this threat, as this segment is more likely to use outdated software or lack reliable patch management. In particular, ESET researchers have detected attacks on companies in the following industries: manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional government agencies.
In addition to encryption, the ScRansom threat can also suspend various processes and services on the infected machine. ScRansom is a fairly simple ransomware, although the CosmicBeetle group has been able to compromise interesting targets and cause a lot of damage. This is mainly because CosmicBeetle is a new player in the ransomware world, and there are problems with ScRansom deployment.
ESET researchers managed to obtain the decryptor implemented by CosmicBeetle for its latest encryption scheme. A highly complex encryption and decryption process can lead to errors, making the recovery of all files questionable. Successful decryption depends on the decryptor working properly and on CosmicBeetle providing all the necessary keys. Even so, an attacker can still permanently delete some files. Even in the best case scenario, decryption is a long and complicated process.
It is worth noting that CosmicBeetle has been active since at least 2020. This threat is best known for using a special collection of Delphi tools known as Spacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher.
To prevent such attacks and detect any malicious activity in a timely manner, organizations should ensure strong cyber defense, for example, with ESET PROTECT Elite comprehensive threat prevention, detection, and response (XDR) solution.
The post CosmicBeetle attack companies in Europe and Asia first appeared on HiTechExpert.top.