CosmicBeetle steps up: Probation period at RansomHub

CosmicBeetle steps up: Probation period at RansomHub

ESET researchers have mapped the recent activities of the CosmicBeetle threat actor, documenting its new ScRansom ransomware and highlighting connections to other well-established ransomware gangs.

CosmicBeetle actively deploys ScRansom to SMBs in various parts of the world. While not being top notch, the threat actor is able to compromise interesting targets.

CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved. We have also observed the threat actor using the leaked LockBit builder and trying to leech off LockBit’s reputation by impersonating the infamous ransomware gang both in ransom notes and leak site.

Besides LockBit, we believe with medium confidence that CosmicBeetle is a new affiliate of RansomHub, a new ransomware gang active since March 2024 with rapidly increasing activity.

In this blogpost, we examine CosmicBeetle’s activities during the past year and analyze the connections to other well-established ransomware gangs. We also provide insight into ScRansom.

Key points of the blogpost:

• CosmicBeetle remains active in 2024, continually improving and distributing its custom ransomware, ScRansom.
• We provide an analysis of ScRansom, emphasizing that it is impossible to restore some encrypted files.
• CosmicBeetle has been experimenting with the leaked LockBit builder and has been trying to abuse its brand.
• CosmicBeetle may be a recent affiliate of the ransomware-as-a-service actor RansomHub.
• CosmicBeetle exploits years-old vulnerabilities to breach SMBs all over the world.

Overview

CosmicBeetle, active since at least 2020, is the name ESET researchers assigned to a threat actor discovered in 2023. This threat actor is most known for the usage of its custom collection of Delphi tools, commonly called Spacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher. In August 2023, ESET researchers published their insights into CosmicBeetle. Shortly before publishing, new custom ransomware we named ScRansom appeared that we believe, with high confidence, is related to CosmicBeetle. We have since found further reasons to increase our confidence of this relation and believe that ScRansom is now that group’s ransomware of choice, replacing the previously utilized Scarab ransomware.

At the time of that publication in 2023, we had not observed any activity in the wild. That, however, changed shortly thereafter. CosmicBeetle has since been spreading ScRansom to SMBs, mainly in Europe and Asia.

ScRansom is not very sophisticated ransomware, yet CosmicBeetle has been able to compromise interesting targets and cause great harm to them. Mostly because CosmicBeetle is an immature actor in the ransomware world, problems plague the deployment of ScRansom. Victims affected by ScRansom who decide to pay should be cautious. While the decryptor itself works as expected (at the time of writing), multiple decryption keys are often required and some files may be permanently lost, depending on how CosmicBeetle proceeded during encryption. We go into more details later in this blogpost. In keeping with our experience regarding CosmicBeetle, an interesting study of immature ransomware groups recently published by GuidePoint Security shows corresponding results.

CosmicBeetle partially tried to address, or rather hide, these issues by impersonating the recently disrupted LockBit, probably the most infamous ransomware gang of the past few years. By abusing the LockBit brand name, CosmicBeetle hoped to better persuade victims to pay. CosmicBeetle also utilized the leaked LockBit Black builder to generate its custom samples with a ransom note in Turkish.

Recently, we have investigated an interesting case that leads us to believe that CosmicBeetle may be a new affiliate of RansomHub. RansomHub is a fairly recently emerged ransomware-as-a-service gang that quickly gained the public’s eye when Notchy, the notorious affiliate of the BlackCat ransomware gang who claimed responsibility for the attack on Change Healthcare, complained that BlackCat stole Notchy’s ransom payment and will therefore be partnering with the rival gang RansomHub instead.

This blogpost documents the evolution of ScRansom for the past year and CosmicBeetle’s approach to compromising victims. We also dive deeper into the threat actor’s relations to other ransomware gangs.

Attribution

We believe with high confidence that ScRansom is the newest addition to CosmicBeetle’s custom toolset. In this section, we explain our reasoning.

ESET telemetry shows several cases where ScRansom deployment overlaps with other tools commonly used by CosmicBeetle. Additionally, a ZIP archive uploaded to VirusTotal contains two embedded archives, each one probably containing samples from an intrusion. Both archives contain ScRansom, ScHackTool, and other tools commonly used by CosmicBeetle, further supporting our suspicions.

There is a lot of code similarity between ScRansom and previous CosmicBeetle tooling, namely:

• Delphi as the programming language of choice,
• IPWorks library for encryption,
• identical Turkish strings in the code,
• using spaces after colons in strings, which earned the Spacecolon toolset its name, and
• GUI similarity with ScHackTool.

All of these similarities further strengthen our attribution. Although Zaufana Trzencia Strona analysts recently published a blogpost about CosmicBeetle where they attributed CosmicBeetle to an actual person – a Turkish software developer, ESET researchers don’t think this attribution is accurate. That attribution is based on the custom encryption scheme used in ScHackTool (not ScRansom). Specifically, they found a malicious sample (SHA‑1: 28FD3345D82DA0CDB565A11C648AFF196F03D770) that contains this algorithm and is signed by a Turkish software development company VOVSOFT with a strange-looking headquarters.

But the mentioned sample does not belong to VOVSOFT; it is actually a malicious patched version of Disk Monitor Gadget, one of many products developed by VOVSOFT signed properly (SHA-1: 2BA12CD5E44839EA67DE8A07734A4E0303E5A3F8). Moreover, the digital signature was copied from the legitimate version and simply appended to the patched version, resulting in the malicious sample apparently being signed, but not having a valid signature.

Interestingly, ScHackTool’s encryption scheme is used in the legitimate Disk Monitor Gadget too. Zaufana Trzencia Strona analysts discovered that the algorithm likely originates from this Stack Overflow thread from 13 years ago. Since the author of the post, MohsenB, has been an active user of Stack Overflow since 2012 – and, based on profile pictures, is not the VOVSOFT developer himself – it is likely that this algorithm was adapted by VOVSOFT and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool.

Initial access and victimology

CosmicBeetle often uses brute-force methods to breach its targets. Besides that, the following vulnerabilities are being exploited by the threat actor:

• CVE-2017-0144 (aka EternalBlue),
• CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component),
• CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac,
• CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and
• CVE-2020-1472 (aka Zerologon).

SMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software and to not have robust patch management processes in place. CosmicBeetle’s leak site is, as we will demonstrate shortly, very unreliable and inconsistent; therefore we refer to ESET telemetry. Figure 1 demonstrates CosmicBeetle’s victims according to ESET telemetry.

We observed attacks on SMBs in the following verticals:

• manufacturing,
• pharmaceuticals,
• legal,
• education,
• healthcare,
• technology,
• hospitality leisure,
• financial services, and
• regional government.

Brand

Most ransom notes dropped by ScRansom do not assign a name to the ransomware. CosmicBeetle relies mainly on email and qTox, an instant messaging application utilized by many ransomware gangs, mainly due to its usage of the Tox protocol. The Tox protocol provides peer-to-peer end-to-end encrypted communication.

The only name CosmicBeetle chose for its custom ransomware is, ironically, NONAME, as the threat actor briefly branded the ransomware, which we discuss in the following section. Due to the chaotic nature of the branding, for the purpose of this blogpost, we will continue to refer to the ransomware as ScRansom.

LockBit copycat

In September 2023, CosmicBeetle decided to set up a dedicated leak site (DLS) on Tor, which it named NONAME. This site, illustrated in Figure 2, is a rip-off of LockBit’s leak site (see Figure 3).

While a few graphical changes have been made, the inspiration is still clear. Moreover, the design is not the only similarity with LockBit. All of the victims visible in Figure 2 were actually compromised by LockBit, not ScRansom. This can be verified by using DLS tracking services, such as RansomLook. All of the victims were posted on LockBit’s leak site, most of them in September 2023, shortly before the NONAME DLS appeared. The Work ID string is added to increase the illusion of being related to ScRansom, as this is how victims are identified in ransom notes.

In early November 2023, CosmicBeetle decided to move even further and decided to impersonate LockBit completely. They did so by registering the domain lockbitblog[.]info and using the same approach as for the NONAME DLS, only this time, they included the LockBit logo as well (see Figure 4). Then, for a time, ScRansom’s ransom notes linked to this website. The same inspiration is visible and the graphical similarity to the NONAME DLS (Figure 2) is undeniable.

A sample built using the leaked LockBit 3.0 builder was uploaded to VirusTotal in August 2024 from Türkiye. What makes this sample unique is that it uses a ransom message (see Figure 5) in Turkish and the qTox ID it mentions is one we conclusively linked to CosmicBeetle. ESET telemetry corroborates this connection, as we have investigated a case where deployment of LockBit overlapped with CosmicBeetle’s toolset.

Figure 5. Ransom note that contains a TOX ID used by CosmicBeetle, dropped by a LockBit sample. Text was machine translated from Turkish.

Relation to RansomHub

Using leaked builders is a common practice for immature ransomware gangs. It allows them to abuse the brand of their well-established competitors while also providing them with a ransomware sample that usually works properly. The LockBit connection, however, is not the only one we have observed.

In June, we investigated an incident involving ScRansom. From our telemetry, we were able to gather the following:

• On June 3rd, 2024 CosmicBeetle attempted to compromise a manufacturing company in India with ScRansom.
• After failing, CosmicBeetle tried a variety of process-killing tools to remove EDR protection, namely:
  • Reaper,
  • Darkside, and
  • RealBlindingEDR.
• On June 8th, 2024, RansomHub’s EDR killer was executed on the same machine.
• On June 10th, 2024, RansomHub was executed on the same machine.

The way RansomHub’s EDR killer was executed is very unusual. It was manually extracted via WinRAR from an archive stored at C:UsersAdministratorMusic1.0.8.zip and executed. Such execution is very unusual for RansomHub affiliates. On the other hand, using the Music folder and manually extracting and executing payloads certainly is typical CosmicBeetle behavior.

To our knowledge, there are no public leaks of RansomHub code or its builder (though RansomHub itself is probably based on code bought from Knight, another ransomware gang). Therefore, we believe with medium confidence that CosmicBeetle enrolled itself as a new RansomHub affiliate.

Technical analysis

Similar to the rest of CosmicBeetle’s custom arsenal, ScRansom is written in Delphi. The earliest samples we were able to obtain were compiled at the end of March 2023, though, to the best of our knowledge, in-the-wild attacks didn’t start before August. ScRansom is under ongoing development.

The GUI is typical for Delphi applications, though not so much for ransomware. All ScRansom samples contain a structured GUI. The older samples, usually named “Static” by the developers, require user interaction to actually encrypt anything. While this may seem a complication, it may be one of the reasons why ScRansom evaded detection for some time, as running such samples in analysis sandboxes does not display any malicious activity.

Launching such an encryptor requires the threat actor to have access to the victim’s screen and be able to manipulate their mouse. This is not the first time CosmicBeetle has used this approach – ScHackTool is also a tool that needs to be executed on the victim’s machine and requires manual interaction. We are not entirely sure how CosmicBeetle achieves this goal, but guessing from the other tools used, we believe using VPN access with previously stolen credentials and RDP is the most probable scenario.

CosmicBeetle also has experimented with a rarely seen variant named “SSH”. The encryptor logic is identical to the other variants, but instead of encrypting local files, it encrypts files over FTP.

Newer builds utilize automation, though only by simulating clicking the correct buttons from code. These automated builds, named “Auto” by the developers, are usually bundled inside an MSI installer together with small tools or scripts to delete shadow copies. The GUI is hidden by default; its most recent version is illustrated in Figure 6.

A complex GUI with a lot of buttons, some of which do nothing, is typical for CosmicBeetle. While the GUI with four tabs looks complex, the functionality is actually very straightforward. ScRansom encrypts files on all fixed, remote, and removable drives based on a hardcoded list of extensions (see Appendix A: Targeted file extensions) – this list can be modified via the text box labeled Extensions.

ScRansom employs partial encryption – only parts of the file are encrypted. Five encryption modes are supported:

• FAST
• FASTEST
• SLOW
• FULL
• ERASE

The first four modes simply differ in how the ransomware decides what portions of the file to encrypt. Their utilization seems to still be partially in development, as not all of the modes are used. The last mode, ERASE, is important, however – when applied, selected portions of targeted files are not encrypted but their contents are replaced with a constant value, rendering these files unrecoverable. Which mode is applied for a given file is determined either via the radio buttons in the Actions tab or via the inclusion of its extension in the Criteria tab. The extensions list labeled Virtual Extensions triggers a different encryption function that, however, is identical to the regular one. As you probably guessed, White Extensions should define a list of extensions excluded from encryption, though this feature is not implemented.

Besides encrypting, ScRansom also kills various processes and services (see Appendix B: Processes killed and Appendix C: Services killed). Recently, a new Delphi sample was split off from ScRansom into a part that we named ScKill, whose sole purpose is to kill processes. ScRansom also employs debug-like features like loading a list of extensions to encrypt from an ext.txt file and ransom note content from a note.txt file.

Encryption

Initial ScRansom samples utilized simple symmetric encryption using AES-CTR-128. Since December 2023, the encryption scheme has been updated. The new scheme is quite (unnecessarily) complex. ScRansom, at the start, generates an AES key we will call ProtectionKey, and an RSA-1024 key pair we will call RunKeyPair.

Every ScRansom sample using this new scheme contains a hardcoded public RSA key from a pair we will call MasterKeyPair. This public key is encrypted using RSA into what CosmicBeetle calls Decryption ID.

For every file, an AES-CTR-128 key that we will call FileKey is generated. Portions of the file are then encrypted using AES with FileKey. When ScRansom finishes encrypting a file, it appends data to its end, specifically:

• The string TIMATOMA (or TIMATOMAFULL if the whole file was encrypted).
• The string TBase64EncodingButton12ClickTESTB64@#$% (TESTB64 in older builds), encrypted by AES using FileKey.
• The following entries, delimited by $ (a dollar sign):
  • Hex-encoded RunKeyPair.Public,
  • Decryption ID,
  • RunKeyPair.Private, encrypted using AES-CTR-128 with ProtectionKey, and
  • FileKey, encrypted using RSA with RunKeyPair.Public.
• Information about encrypted blocks start and their length (absent if the full file is encrypted).

Finally, Decryption ID is stored into a text file named DECRYPTION_IDS.TXT and also written in the ransom note named HOW TO RECOVERY FILES.TXT. Decryption ID is different each time the encryptor is executed. On subsequent execution(s), the Decryption IDs are appended to the DECRYPTION_IDS.TXT file, but not updated in the ransom note.

The filename (including extension) is then base64 encoded and the .Encrypted extension appended. Despite the complexity of the whole process, we have summarized it in Figure 7.

Decryption

We were able to obtain a decryptor implemented by CosmicBeetle for this recent encryption scheme. CosmicBeetle does not provide its victims with the MasterKeyPair.Private key but with the already decrypted ProtectionKey (that needs to be entered in the field labeled CPriv Aes Key). Additionally, the decryptor expects the Decryption ID, which is useless, as the private key is not provided; indeed, the decryptor ignores its value. The GUI of the decryptor is illustrated in Figure 8.

If the correct ProtectionKey is entered, the decryptor works as expected. If victims decide to pay the ransom, they need to collect all Decryption IDs from all the machines where ScRansom was executed. CosmicBeetle then needs to provide a different ProtectionKey for all of the Decryption IDs. Victims then need to manually run the decryptor on every encrypted machine, enter the correct ProtectionKey (or try all of them), click the Decrypt button and wait for the decryption process to finish.

Moreover, from collaboration with one of the victims, we learned that ScRansom was executed more than once on some machines, leading to even more Decryption IDs. This victim collected 31 different Decryption IDs, requiring 31 ProtectionKeys from CosmicBeetle. Even with those, they were unable to fully recover all of their files. Assuming the encrypted files were not tampered with, this may be the result of missing some Decryption IDs, CosmicBeetle not providing all of the required ProtectionKeys, or ScRansom destroying some files permanently by using the ERASE encryption mode. This decryption approach is typical for an immature ransomware threat actor.

Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay. Typically (like in the case of the leaked LockBit Black builder), a decryptor is built together with an encryptor. When distributed to the victim, no additional user effort is required, as the key is already contained in the binary. Additionally, one key is sufficient to decrypt all encrypted files, regardless of where they are in the victim’s network.

Conclusion

In this blogpost, we have analyzed CosmicBeetle’s activity over the past year. The threat actor is still deploying ransomware, though it switched from Scarab to a new custom family we call ScRansom. Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit’s reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims will pay.

We also spotted CosmicBeetle trying to deploy LockBit samples built using the leaked builder, though only briefly, before switching back to ScRansom. The threat actor puts efforts into continual development of ScRansom, changing encryption logic and adding features.

Recently, we observed the deployment of ScRansom and RansomHub payloads on the same machine only a week apart. This execution of RansomHub was very unusual compared to typical RansomHub cases we have seen in ESET telemetry. Since there are no public leaks of RansomHub, this leads us to believe with medium confidence that CosmicBeetle may be a recent affiliate of RansomHub.

ScRansom undergoes ongoing development, which is never a good sign in ransomware. The overcomplexity of the encryption (and decryption) process is prone to errors, making restoration of all files unsure. Successful decryption relies on the decryptor working properly and on CosmicBeetle providing all necessary keys, and even in that case, some files may have been destroyed permanently by the threat actor. Even in the best-case scenario, decryption will be long and complicated.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

Network

Ransom note fragments

Email addresses

• decservice@ukr[.]net
• nonamehack2024@gmail[.]com
• tufhackteam@gmail[.]com
• nonamehack2023@gmail[.]com
• nonamehack2023@tutanota[.]com
• lockbit2023@proton[.]me
• serverrecoveryhelp@gmail[.]com
• recoverydatalife@gmail[.]com
• recoverydatalife@mail[.]ru

Tox IDs

• 91E3BA8FACDA7D4A0738ADE67846CDB58A7E32575531BCA0348EA73F6191882910B72613F8C4
• A5F2F6058F70CE5953DC475EE6AF1F97FC6D487ABEBAE76915075E3A53525B1D863102EDD50E
• F1D0F45DBC3F4CA784D5D0D0DD8ADCD31AB5645BE00293FE6302CD0381F6527AC647A61CB08D
• 0C9B448D9F5FBABE701131153411A1EA28F3701153F59760E01EC303334C35630E62D2CCDCE3

Tor links

• http://nonamef5njcxkghbjequlibwe5d3t3li5tmyqdyarnrsryopvku76wqd[.]onion
• http://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd[.]onion
• http://7tkffbh3qiumpfjfq77plcorjmfohmbj6nwq5je6herbpya6kmgoafid[.]onion

MITRE ATT&CK techniques

This table was built using version 15 of the MITRE ATT&CK framework.

Appendix A: Targeted file extensions

This configuration is hardcoded in every ScRansom sample and is subject to frequent change. The following sections contain the most recent configuration at the time of writing.

Filename masks to encrypt

Extensions to encrypt using SLOW mode

Extensions targeted for permanent deletion

"Blacklisted” filenames and path fragments

Appendix B: Processes killed

The list below contains two filenames that stand out – Project1.exe, which refers to many ScRansom variants, and app.exe, which is the filename used for older ScHackTool builds.

Appendix C: Services killed