ScRansom Ransomware Launched by CosmicBeetle, Collaborating with RansomHub
Analyzed today, ESET researcher Jakub Souček stated that CosmicBeetle has introduced ScRansom, replacing its previous Scarab ransomware. The actor, despite not being at the top level, can target a variety of sectors with this evolving ransomware.
The affected sectors include manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government.
The entity CosmicBeetle was recognized for its Spacecolon toolset, previously used for Scarab ransomware campaigns.
The actor, also known as NONAME, experimented with the leaked LockBit builder to mimic the infamous ransomware gang in their ransom notes and leak site.
The origin of the attacker remains unknown, with an initial assumption suggesting Turkish roots due to a custom encryption scheme found in ScHackTool. However, ESET no longer believes this to be the case.
The encryption algorithm used by ScHackTool is also utilized in Disk Monitor Gadget, probably adapted from a Stack Overflow thread by VOVSOFT, the Turkish software provider.
Infiltration methods involve exploiting security vulnerabilities like CVE-2017-0144, CVE-2020-1472, and other CVE entries to access target networks.
Various tools such as Reaper and Darkside are used to terminate security processes before deploying the Delphi-based ScRansom ransomware, providing features like partial encryption for efficiency and an “ERASE” mode to make files unrecoverable.
Through observing the deployment of ScRansom and RansomHub on the same device within a week, it is evident that there is a link between the two.
CosmicBeetle may have tried to leverage LockBit’s reputation to mask deficiencies in their ransomware, increasing the likelihood of victim payments.
Updated Version Released by Cicada3301
A recent report by Palo Alto Networks Unit 42 shows that threat actors associated with the Cicada3301 ransomware have released an updated version of the ransomware since July 2024.
The new version includes a ‘–no-note’ command-line argument, ensuring the encryptor does not create ransom notes on the system.
Furthermore, the binary no longer contains hard-coded credentials, with the capability to execute PsExec using existing credentials if available, a technique recently highlighted by Morphisec.
Unit 42 also noted signs that the group possesses data from older incidents predating their operations.
operation under the Cicada3301 label.
This has given rise to the potential that the malicious entity may have functioned under a different ransomware trademark, or acquired the information from other ransomware factions. That being mentioned, Unit 42 highlighted that it detected some similarities with an alternative assault executed by an associate who released BlackCat ransomware in March 2022.
BURNTCIGAR Morphs into an EDR Wiper
The discoveries also track a transformation of a kernel-mode endorsed Windows driver used by several ransomware coalitions to disable Endpoint Detection and Response (EDR) software that enables it to operate as a wiper for erasing crucial components linked to those solutions, rather than shutting them down.
The malware in query is POORTRY, which is distributed through a loader named STONESTOP to orchestrate a Bring Your Own Vulnerable Driver (BYOVD) attack, effectively skirting around Driver Signature Enforcement protections. Its capability to “force delete” files on disk was initially pointed out by Trend Micro in May 2023.
POORTRY, noticed as early as in 2021, is also known as BURNTCIGAR, and has been utilized by multiple ransomware coalitions, including CUBA, BlackCat, Medusa, LockBit, and RansomHub throughout the years.
“Both the Stonestop executable and the Poortry driver are highly encoded and obscured,” Sophos stated in a recent report. “This loader was obscured by a closed-source packer named ASMGuard, available on GitHub.”
POORTRY is “dedicated to deactivating EDR products through a range of diverse methods, such as elimination or alteration of kernel notify routines. The EDR killer aims to terminate security-linked processes and render the EDR agent ineffective by wiping out critical files from the disk.”
The deployment of an upgraded version of POORTRY by RansomHub is noteworthy considering that the ransomware gang has also been seen utilizing another EDR killer tool named EDRKillShifter this year.
“It’s crucial to acknowledge that malicious actors have been consistently experimenting with various approaches to deactivate EDR products — a pattern we’ve been monitoring since at least 2022,” Sophos informed The Hacker News. “This experimentation can encompass a variety of strategies, such as exploiting insecure drivers or using certificates that have been inadvertently exposed or obtained through illicit means.”
“While there might appear to be a notable rise in these activities, it’s more accurate to say that this is part of an ongoing progression rather than a sudden surge.”
“The utilization of different EDR-killer utilities, like EDRKillShifter by factions like RansomHub, likely mirrors this continuous experimentation. There is also a chance that varied affiliates are involved, which could elucidate the utilization of differing methods, though lacking precise details, we would be cautious in speculating excessively on that front.”
About Author
