RansomHub
"CosmicBeetle Partners with RansomHub to Deploy ScRansom Ransomware"
...
CosmicBeetle, a notorious threat actor active since at least 2020, has continued its aggressive cybercriminal activities into 2024, deploying its evolving ScRansom ransomware to exploit SMBs (Small and Medium Businesses) across Europe and Asia. While not the most sophisticated ransomware, ScRansom has proven dangerous due to CosmicBeetle's adaptability and persistence.
The ScRansom ransomware, which replaced the previously deployed Scarab ransomware, has undergone continual development since its first appearance in 2023. Despite its imperfections and limitations, the ransomware's use of experimental features and connections to other notorious ransomware gangs makes it a formidable threat. Recently, there has been evidence that CosmicBeetle has formed an affiliation with RansomHub, a fast-growing ransomware-as-a-service (RaaS) gang, further boosting its capabilities.
#### CosmicBeetle's Evolution and Affiliation with RansomHub
##### CosmicBeetle’s Transition from Scarab to ScRansom
ScRansom marked a significant transition for CosmicBeetle. Originally relying on Scarab ransomware, the group shifted its focus in 2023 to its custom-built ransomware, ScRansom. ESET researchers believe with high confidence that ScRansom is now CosmicBeetle’s ransomware of choice. Despite this shift, the group continues to face challenges, from poorly executed encryption schemes to imperfect decryption processes, indicating their relatively immature status in the world of cybercrime.
##### Impersonation of LockBit and Affiliation with RansomHub
CosmicBeetle has engaged in a tactic known as "brand hijacking," leveraging the reputation of the infamous LockBit ransomware gang. By impersonating LockBit through ransom notes and using leaked LockBit builders, CosmicBeetle sought to intimidate victims into paying ransom demands. However, its most recent and significant move has been its affiliation with RansomHub.
RansomHub, a RaaS group that emerged in early 2024, has quickly gained prominence, and researchers believe that CosmicBeetle has now become one of its affiliates. The rapid rise of RansomHub and its association with notorious actors like CosmicBeetle adds a layer of complexity and danger to the group’s activities. The following sections delve deeper into the significance of RansomHub in this context.
#### The Rise of RansomHub: A New Player in the RaaS Ecosystem
##### What Is RansomHub?
RansomHub is a relatively new ransomware-as-a-service (RaaS) platform that has emerged as a significant player in the cybercrime ecosystem. First spotted in March 2024, RansomHub has attracted attention for its rapid rise and involvement with some of the more notorious threat actors. As an affiliate-based platform, RansomHub provides ransomware to various groups in exchange for a share of the ransom payments.
##### How RansomHub Operates
RansomHub operates by providing ransomware tools to affiliates who then deploy the ransomware to their own targets. This model allows for a decentralized approach to ransomware deployment, making it more challenging for law enforcement and cybersecurity professionals to track the origin of attacks. Affiliates, like CosmicBeetle, gain access to sophisticated ransomware builders and decryption tools, enabling them to conduct attacks with relative ease.
#### Technical Analysis of ScRansom
##### ScRansom’s Encryption Mechanism
ScRansom employs a range of encryption mechanisms that are continually evolving. Initially, the ransomware used simple AES-CTR-128 encryption but has since moved to a more complex, albeit flawed, system. The latest versions of ScRansom generate unique encryption keys for each file, making recovery difficult without paying the ransom.
One key aspect of ScRansom's encryption scheme is its partial encryption mode. The ransomware targets specific portions of files, reducing the encryption time but increasing the difficulty of decryption without the appropriate keys. Victims who attempt to decrypt their files without the proper tools risk permanently losing data, especially when ScRansom’s ERASE mode is applied, which irreversibly corrupts files.
##### Decryption Challenges
Victims face significant challenges when attempting to decrypt their files, even after paying the ransom. ScRansom often requires multiple decryption keys for a single machine, complicating the process. Moreover, due to CosmicBeetle’s immature decryption mechanisms, some files may be permanently lost even after successful decryption. This is further complicated by ScRansom’s incomplete decryption process, where victims may need to manually enter different keys and run the decryption tool multiple times.
#### CosmicBeetle’s Exploitation Tactics
##### Vulnerability Exploitation
CosmicBeetle is known for exploiting years-old vulnerabilities in public-facing applications. Some of the common vulnerabilities exploited include:
- **CVE-2017-0144 (EternalBlue)**: Used to exploit outdated SMB protocols.
- **CVE-2023-27532**: A vulnerability in Veeam Backup & Replication components.
- **CVE-2021-42278 and CVE-2021-42287**: AD privilege escalation vulnerabilities exploited through the noPac attack chain.
- **CVE-2022-42475**: A vulnerability in FortiOS SSL-VPN, enabling remote access.
- **CVE-2020-1472 (Zerologon)**: A critical privilege escalation vulnerability in Microsoft Active Directory.
##### Targeting SMBs
CosmicBeetle primarily targets SMBs across various industries, including manufacturing, pharmaceuticals, legal, education, and healthcare. SMBs are often vulnerable due to insufficient patch management practices and reliance on older systems, making them ideal targets for exploitation. The industries targeted by CosmicBeetle reflect the group’s opportunistic approach, prioritizing ease of exploitation over high-value targets.
#### CosmicBeetle’s Use of Brute-Force Attacks and Tools
Aside from exploiting vulnerabilities, CosmicBeetle frequently relies on brute-force methods to gain initial access to victim networks. This includes targeting Remote Desktop Protocol (RDP) services and SMB ports that are exposed to the internet. CosmicBeetle’s toolkit also includes custom-built tools like ScHackTool, ScInstaller, and ScPatcher, which are used to escalate privileges and deploy ransomware once inside the victim’s network.
#### RansomHub’s Growing Influence in the RaaS Market
##### Why RansomHub Matters
The rise of RansomHub marks a shift in the ransomware ecosystem, providing newer ransomware groups with the tools and infrastructure they need to compete with more established gangs like LockBit and BlackCat. The RaaS model allows even relatively inexperienced threat actors to launch sophisticated attacks, leveraging the tools and knowledge provided by more established cybercriminal organizations.
##### RansomHub’s Role in CosmicBeetle’s Success
RansomHub has been instrumental in CosmicBeetle’s continued success, providing access to advanced ransomware tools that have allowed CosmicBeetle to refine its attacks. The affiliation between the two groups likely provides CosmicBeetle with additional resources, enabling them to improve ScRansom and expand their operations to new regions and industries.
For victims of ScRansom, the challenges are significant. The complex and flawed encryption mechanism, coupled with the involvement of a RaaS platform like RansomHub, makes decryption difficult and costly. As RansomHub continues to grow in influence, organizations must remain vigilant, ensuring that they have robust cybersecurity measures in place to mitigate the risks posed by this dangerous new threat actor.
#### Key Takeaways:
- CosmicBeetle has transitioned from using Scarab ransomware to its custom-built ScRansom ransomware.
- The group has formed a recent affiliation with RansomHub, a growing RaaS platform.
- ScRansom’s encryption scheme is complex and prone to errors, making file recovery difficult.
- CosmicBeetle targets SMBs across various industries using brute-force attacks and exploitation of outdated vulnerabilities.
### References
- CVE-2017-0144 (EternalBlue), Microsoft Vulnerability Database
- ESET Telemetry Reports (2023-2024)
- MITRE ATT&CK Framework, Version 15